Red Flags, Gray Areas: Are You Compliant with New ID Theft Prevention Laws?
Bradley, Brian, Business Credit
Technically in place since January, the FTC's red flag rules designed to prevent identity theft become fully effective November 1. The regulations require businesses extending credit to customers to have comprehensive programs in place for verifying an applicant's identity, and for taking specific actions if a potential fraud is detected.
The FTC outlines a four-step process:
1. Identifying "red flags." This involves adopting a company-specific written policy.
2. Detecting red flags, meaning applying the new written policy.
3. Responding to red flags.
4. Updating policies.
What Do You Have to Do by 11/1?
Businesses listed among those required to comply predictably include banks, credit unions and mortgage brokers, but also utility companies, telecommunications companies, healthcare providers, debt collectors and auto dealers, all businesses that offer accounts "for which there is a reasonably foreseeable risk to customers or the safety and soundness of ... the creditor from identity theft." And while identity theft primarily has been directed at consumers, the FTC made it clear that small businesses have also been targets of identity theft.
Each business' individual program can be tailored to its size, complexity and nature of its use of credit. A large bank, for example, needs to have much more extensive policies than a lumberyard or plumbing supplier.
That's good because, while most financial institutions have been working on red flag programs for some time, many businesses in the "small auto dealer" or "building supplier" category are just learning the extent to which they are impacted, and racing to come to terms with what exactly that means.
The first step, defining a process for identifying red flags, involves the time-consuming effort of going through the guidelines to assess the degree to which a business is required to comply. Once in place, the company's written policy must be followed during every transaction that involves pulling credit or the use of other Fair Credit Reporting Act (FCRA) data.
What Constitutes a Red Flag?
A "red flag" is a pattern, practice or specific activity that indicates the possible risk of identity theft. In its guidelines, the FTC specifies 26 red flag examples but says that, depending on the type of business, the actual number may vary.
As the guidelines evolved and the deadline approaches, the agencies updating the rules have recognized that the final rules and guidelines cover a wide variety of financial institutions and creditors that offer and maintain many different products and services, and require the flexibility to be able to adapt to rapidly changing risks of identity theft. This flexibility is good from an implementation standpoint, but the liability should a business miss something based on their own interpreted of the rules is unclear.
The guidelines do identify five categories of potential red flags:
1. Suspicious documents, including:
* Driver's license that appears to have been altered or forged
* Photographs and physical description on a driver's license that don't match the applicant
* Credit application that appears to be altered or forged
2. Suspicious activity, such as:
* Delinquent accounts where there is no history of late or missed payments
* Notice from a customer that the customer is not receiving paper account statements
* Notice of unauthorized charges or transactions
3. Inconsistencies between credit reports and application data: name, SSN, DOB, address, phone, driver's license information
4. Inconsistencies between personal ID data such as SSNs and data from external information sources
5. Notices of fraud on an account
The first two red flag categories, suspicious documents and activities, require physical inspection of ID documents and a review of existing accounts. …