Preparing for the FACTA Red Flags Rule
Perhaps you have heard about new regulations that the Federal Trade Commission (FTC) has proposed for some time now called the Red Flags Rule. The Red Flags Rule stems from The Fair and Accurate Credit Transaction Act of 2003 (FACTA). As of this writing the mandate will be enforced beginning November 1, 2009.
FACTA added sections to the Federal Fair Credit Reporting Act intended primarily to help consumers fight the growing crime of identity theft. In adopting FACTA, Congress recognized that consumers were unable to prevent identity theft and could only react long after the event had occurred. In order to stop the fraud at its source businesses that offer credit need to address the events that signal a potential fraud.
Six agencies were involved in drafting the red flag rules: the Treasury Department’s Office of Thrift Supervision, Office of Comptroller of the Currency, Federal Deposit Insurance Corp., Federal Trade Commission, National Credit Union Administration and the Federal Reserve System. The Red Flags Rule identifies 26 “ Red Flags” which may be indicators of attempted fraud.
According to FTC statistics nearly 10 million people were victims of identity theft in 2008 in the US. In the broadest sense identity theft is the act of someone assuming the identity of another individual to gain access to the victim’s personal resources. Last year over 35 million known data records containing sensitive personally identifiable information (PII) were stolen.
While some perpetrators know their victims, having stolen their wallets, credit cards, checkbooks or other personal items, the vast majority of perpetrators do not. Identity theft comes in many forms and most victims learn their fate long after the initial event occurs, often months to years after the fact.
Most data theft is primarily due to poor controls surrounding PII. This can range from sensitive records being thrown in dumpsters to electronic records being improperly secured online and breached by hackers.
Personal resources accessed by data thieves may include use of credit cards, establishment of credit under the victims identity, access to utilities, healthcare benefits, banking, employment, loans, government benefits, and many other acts limited only by the imagination of the perpetrator. The common element is the use of defrauded individuals persona to gain credit or access to established resources.
The Red Flags Rule applies to both financial institutions and creditors. The definition of “creditor” is broad and includes businesses or organizations that regularly defer payment for goods or services or provide goods or services and bill customers later. These companies may not traditionally be thought of as extending credit and include utility companies, health care providers, telecommunications companies, cable and satellite providers, and others, depending on how and when they collect payment for their services.
The Rule also defines a “creditor” as one who regularly grants loans, arranges for loans or the extension of credit, or makes credit decisions. Examples include finance companies, mortgage brokers, real estate agents, automobile dealers, and retailers that offer financing or help consumers get financing from others by processing credit applications. Additionally, the definition includes anyone who regularly participates in the decision to extend, renew, or continue credit, including setting the terms of credit – for example, a third-party debt collector who regularly renegotiates the terms of a debt.
Organizations that are covered under the Red Flags Rule must create written plans that are reviewed and signed off by the organizations board of directors that:
- Create Policies and Procedures that Identify Red Flags Which Pertain to their Business
- Create Policies and Procedures that Detect the Identified Red Flags
- Create Policies and Procedures that define the Actions to be take when Red Flags are Detected
- Monitor changing Red Flags, Train Employees and Monitor 3rd party contractors
An appropriately designed and managed plan depending on the business may require considerable skill and effort. Most organizations will do well to reach out to experts in designing their programs. Is your organization subject to the Red Flags Rule?
Information Defense is prepared to assist in evaluating whether your organization is subject to the FTC ruling and assist in defining and developing the necessary steps to reach compliance. Contact us here for further information.