Today is the day — the Federal Trade Commission (FTC) deadline to comply with the 2003 Fair and Accurate Credit Transactions Act’s (FACTA) Identity Theft requirements. Dubbed the “Red Flag Rules,” Sections 114 and 315 of FACTA require that all financial institutions and creditors create and implement a written program for “detection, prevention and mitigation” of identity theft. 

Many businesses will miss the deadline because they are unaware that the rules apply to them. In fact, the FTC cited major industries’ “confusion and uncertainty” when extending the regulations’ original compliance deadline of Nov. 1.

Who must comply?

A common misunderstanding among businesses is that the law only applies to consumer transactions. After all the Fair Credit Reporting Act (FCRA) to which FACTA was appended is a consumer protection law.

But, the FTC has taken the position that identity theft can occur with regard to businesses as well as individuals.  Red Flag rules apply to financial institutions and creditors and are triggered when they offer or maintain covered accounts.

A creditor is defined as anyone who grants to a debtor the right “to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefore.” In general, if a business regularly extends, renews or continues credit, arranges for someone else to do so, or is the assignee of a creditor who is involved in the decision to extend, renew or continue credit, the Red Flag Rules will apply.  

The Red Flag rules define two types of covered accounts:

1.) An account primarily for personal, family or household purposes that involves multiple payments or transactions  (e.g. credit cards, mortgage loans, cell phone, car loans, checking or savings accounts).

2.) Any other account for which there is a reasonably foreseeable risk to customers or the safety and soundless of the financial institution or creditor from identity theft,    (Emphasis added), such as a small business or sole proprietorship account.  

It’s the second definition that has created problems for business creditors. 

Businesses must comply with the new rules when there is a “reasonably foreseeable risk” that identity theft could occur against a new or existing business credit account. 

This risk can be posted to either the customer or the creditor. If there is a reasonably foreseeable risk, the creditor must develop a plan to “detect, prevent and mitigate” the theft and its effects. Because of the broad definitions in these regulations, the red flag rules essentially include all companies, regardless of size, that maintain, or otherwise possess, consumer information for a business purpose and grant credit. 

Penalties for Non-compliance

Non-compliant companies will be subject to audits, fines and class action suits.

The FTC can file actions to enforce compliance and seek monetary penalties of up to $2,500 for each independent violation. The states also can bring actions on behalf of residents and may recover up to $1,000 for each violation.

Then there’s the high cost of negative publicity. Consumers do business with those they trust. Security breaches make great headlines and can do irreparable damage to a business’ reputation and continued profitability. 

On May 1, 2009, many small and mid size businesses assuming the Red Flag Law doesn’t apply to them will be exposed to a potentially significant liability. Business owners take heed: Look into the Red Flag rules and check with your advisors to ensure you’ve properly mitigated your risk of Identity Theft.

What should an identity thief mitigation program contain? Each program must have four essential features: Identify applicable Red Flags — the Red Flag Rules list 26 Red Flags. Detect  red flags in customers’ transactions.  Respond appropriately when a Red Flag is detected. (See the Red Flag guidelines to learn how, who needs to know and in what order, and proactive measures to mitigate loss.)  Update the program periodically to respond to new risks, changes in program elements or if new products and services are offered. Additionally, the program must: Be in writing. Be incorporated into the creditor’s existing risk management policies and procedures. Be approved by the Board of Directors or an appropriate committee of the board.  Involve the board of directors or a committee of the board management empowered to oversee the plan’s implementation, administration and updating. Train staff in order to effectively implement the program and provide necessary tech support. Be assessed at least annually and a report be made. Ensure effective oversight of activities of third-party and service providers to ensure their compliance with the law. (Using a third party vendor does not relieve the creditor from the obligation to comply with the regulations.) The sophistication of the plan is related to the risk posed.  This means that businesses have the flexibility to tailor a plan to their size, complexity and nature of their activities. This also means that businesses cannot blindly adopt a canned format based on minimal standards.