ID theft : Red Flag Rules

FTC "Red Flag Rules" August 1 deadline

IdentityTheft — Tue, 21 Jul 2009 19:05:00 GMT

There’s been a lot of confusion about the FTC’s definition of creditor, with many people assuming it applies only to financial institutions, mortgage brokers and finance companies. But it turns the definition is much broader.

If you’re still confused about whether or not the Federal Trade Commission’s “Red Flag Rules” apply to your business, here’s a simple quiz to help you sort it out: Do you provide goods or services and defer payments or accept partial payments toward the total balance? If so, you’re a creditor and have 10 days to meet the FTC’s August 1 deadline and get your ID theft prevention program together.

If you own a dry cleaning business that allows customers to run monthly tabs, or you’re an attorney who accepts a down payment for total services to be rendered, you’re a creditor. Orthodontists who set up payment plans for kids’ braces? Yep.

The good news is most creditors are small businesses, and meeting the requirements shouldn’t be a huge undertaking. The red flags are only common sense warning signs; they just need to be documented and your employee trained.

What to watch for

Be on the lookout for fake documents. Does the photo look authentic and match the customer’s appearance? Does the address match the information you have on file?
Watch for unusual use of an established account. If a normally reliable customer is months late on payments, or making uncharacteristically expensive purchases, it might be a sign of account takeover.
Fraud alerts and credit freezes are placed on credit files by consumers who are already ID theft victims, or think they might become victims—for instance, someone who’s lost a wallet. If you run a credit check on someone and find a fraud alert or freeze, take extra steps to confirm identity.

All that’s left is to put your plan in writing, discuss it with employees and determine who among your staff will be the go-to person.

FTC Red Flag Rules: Small business compliance made easy ... really

IdentityTheft — Tue, 26 May 2009 16:55:00 GMT

The FTC has finally come up with a tool to make Red Flags Rules more easily understood and small business compliance easier to implement.

Initially created in 2003, the FTC has repeatedly delayed enforcement of the rules for recognizing and responding to identity theft’s warning signs, largely because of confused interpretation of the term “creditor”.

In response, the FTC has developed a simple six-page, four-step outline for small and low-risk businesses along with guidelines for determining whether a business falls into this category. How can you tell if your business is at low risk for identity theft?

Do you have few clients or customers whom you know by sight?
Do you provide services in your customers’ homes?
Is your line of business frequently linked to identity theft?
Has your business ever been linked to an identity theft incident?

If you answered yes to the first two questions and no to the last two questions, chances are you have a low-risk business, and can easily meet Red Flag Rules requirements by using the simple form created by the FTC.

The Identity Theft Prevention Program designed by the FTC, available here, guides business owners, board members or senior managers through the process in four easy steps:

Identifying relevant red flags
Detecting red flags
Responding to red flags
Administering your program, including designating the employee responsible for implementation; training methods; identifying service providers that might detect ID theft; and deciding how to update your program and keep it current.

FTC delays Red Flag Rules enforcement ... again

IdentityTheft — Fri, 01 May 2009 18:01:00 GMT

The Federal Trade Commission has granted yet another delay in the enforcement of the Red Flag Rules, pushing the deadline to November 1, 2009.

The initial compliance deadline was November 2008, but after five years of procrastination, retailers, health care providers and law firms that extend credit claimed to be surprised to learn they were considered creditors, and asserted they needed more time to devise their identity theft recognition and prevention strategies.

In response to their well-funded hue and cry, the FTC allowed creditors another six months to comply and moved the deadline to May 1, 2009.

The red flags businesses and creditors are to watch for are pretty straightforward:

Identifying documents that appear fraudulent (If it looks like the fake ID you used to buy beer as a college student, consider that it might be a fake ID.)
Photo IDs that don’t match the person offering them (If a white man offers a driver’s license with a picture of a black woman on it, that should be a red flag.)
Repeated or unreported changes of address (An established client’s address is changed to that of a storage facility.)
Unusual use of established account (a client’s increase in credit usage or change in usage pattern, e.g., a customer who historically paid off low account balances monthly suddenly exceeds allowed maximum balance.)
Fraud alert or freeze on a credit report (If a credit check reveals the credit applicant has been a victim of identity theft, consider the possibility that the person asking you to extend credit might not who they say they are.)

The Rules were established by the Fair and Accurate Credit Transactions Act of 2003 (FACT Act), in an effort to force businesses to better protect consumers from identity theft and credit fraud. While creditors will undoubtedly accept the delay gratefully, it does make a thinking person question the sincerity of the FTC’s stated intent of protecting consumers.

Attorneys and the Red Flag Rules

IdentityTheft — Fri, 03 Apr 2009 15:10:00 GMT

Attorneys have until May 1 to have their Red Flag Rules in place, according to the Federal Trade Commission. The rules were established in 2003 as part of the Fair and Accurate Credit Transaction Act (FACT Act), the same congressional act that allows consumers to routinely view their credit reports without charge.

Under the Red Flag Rules, anyone who extends credit must develop policies and procedures to identify and respond to any potential identity theft attempts. The warning signs—red flags—include:

Identification documents and credit or debit cards that appear to have been altered or fraudulently manufactured.
Photo identification in which the photo doesn’t appear to represent the client offering it.
Unexpected or suspicious changes of address.
A fraud alert or credit freeze on the clients’ credit report.
Unusual account activity.

The federal agency’s definition of creditor originated with the Equal Credit Opportunity Act. The broad definition encompasses any businesses that extend credit or defer payment for services rendered. As such, attorneys who offer delayed or partial payment for client representation are included.

Small businesses, doctors’ offices and medical facilities were taken by surprise when they discovered a few months ago that they were included in the FTC’s definition of “creditors,” and the American Medical Association has petitioned the FTC for an exclusion or a delay in enforcement of the rules.

The FTC response was that the rule won’t provide an undue burden. “For example, a small medical practice with a well-known, limited patient base might have a lower risk of identity theft, and thus might adopt a more limited program than a clinic in a large metropolitan setting that sees a high volume of patients.

Presumably, the same applies to legal practices, though even small criminal law practices might be required to apply more stringent rules.