New ID Theft Rules Kick In Nov. 1

Once thought to apply only to large financial institutions, new federal Red Flag regulations to battle identity theft are raising questions among companies originally considered to be exempt. Rules not only require a written ID theft policy that identifies patterns and practices that lead to identity but also a plan action when the red flags drop.

The Nov. 1 deadline for new federal identity theft regulations requiring financial institutions and other creditors that provide financing is fast approaching. Known as FACTA (Fair and Accurate Credit Transactions Act), the rules require covered entities to re-examine their ID theft prevention policies and implement new procedures and business practices.

More specifically, FACTA requires a written ID theft prevention policy that includes polices that identify "patterns, practices or specific activities that could indicate identity theft," according to the FTC (Federal Trade Commission). Violators of the new rules can be subject to civil penalties of up to $2,500 per violation.

The new regulations - also known as Red Flag rules -- have long been thought to only apply to financial institutions such as banks, savings and loans, mortgage lenders and credit unions, but as the compliance deadline nears, SMBs (small and midsize businesses) are concerned the rules may also cover them. While clearly targeting financial institutions, the rules also cover "any person or business" that arranges for customer credit.

"A creditor includes anyone who regularly extends credit to their customers, but the definition is not limited to that and can be broader," said Frank Dorman, a spokesman for the FTC.

The agency defines a creditor as "any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit."

A business alert issued by the FTC adds, "Accepting credit cards as a form of payment does not in and of itself make an entity a creditor."

When asked if the Red Flag rules apply to SMBs, Steve Neville, Entrust's director of identity products and solutions, replied, "Technically not, but it is a devilishly detailed question."

Neville said most companies that extend credit to customers are doing so through an intermediary such as GE Creditline. In that case, GE would assume responsibility for FACTA compliance. Companies that don't use intermediaries would be subject to the Red Flag rules.

The FTC added the Red Flag rules to FACTA in January. Businesses are required to define policies for recognizing red flags in identity verification. Typical red flags include discrepancies in address histories, fraud alerts on consumer reports, questionable use of Social Security numbers, credit freeze notifications and unusual patterns of customer activities.

Once those definitions are in place, companies are then required to define appropriate courses of action when a red flag drops.

The new Red Flag rules evolved over a long series of congressional hearings that sought to find the causes of identity theft, particularly phishing and pretexting, the practice of using false pretenses to obtain the telephone records of another person.

Pretexting gained widespread notoriety in 2006 when Hewlett-Packard admitted it used pretexting to obtain the personal telephone records of board members and the media as part of its efforts to investigate boardroom leaks. In addition to HP, the hearings revealed many companies were being duped into turning over personally identifiable customer data.

The FTC estimates that as many as 9 million Americans have their identities stolen each year.