The Federal Trade Commission has once again postponed enforcement of the Identity Theft Red Flag Rules of the Fair and Accurate Credit Transactions Act of 2003. The May 1, 2009, deadline was extended to Aug. 1, 2009. The FTC stated the further delay is intended "to give creditors and financial institutions more time to develop and implement written identity theft prevention programs."
FTC Chairman Jon Leibowitz said the extra time will "allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further."
The agency has provided the following resources to help businesses determine if they are subject to the rule, answer common questions and help businesses build their programs.
"These red flags are not a checklist, but rather, are examples that financial institutions and creditors may want to use as a starting point," the FTC business alert states.
The FTC's business alert indicates creditors are subject to the rules and describes creditors as including "finance companies, automobile dealers, mortgage brokers, utility companies and telecommunications companies. Where nonprofit and government entities defer payment for goods or services, they, too, are to be considered creditors."
Covered accounts subject to the rules are also any account "for which there is a foreseeable risk of identity theft - for example, small business or sole proprietorship accounts."
Understanding that distinct business types carry various levels of risk and hold different kinds of consumer information, the FTC does not expect every enterprise to implement the same type of identity theft program.
You only need "a Red Flags policy in place that fits the nature, scope and complexity of your business and gets you to a procedure that you follow that would allow your business, you or your employees to pick up those reasonably foreseeable Red Flags," said Brian Bradley, Executive Vice President, Strategy and Emerging Markets, for MicroBilt Corp., a risk management provider.
"The intent was to deal with any businesses that have access to private consumer information, but the details just weren't there," Bradley said. "I think that it is not unusual for these regulations to be a little more open-ended than people would like."
Bradley said furniture stores and doctors exemplify types of businesses that are not as accustomed or adept at detecting patterns that are indicative of risk as financial institutions and bankcard acquirers.
"It really doesn't have to be a significant investment of money or time to be able to comply," Bradley said. "It looks like a big job, but I think once it's demystified, once you look into it, it's pretty easy to put it into place and then to follow it and make it part of your standard process."
The FTC increased the fine for failure to have a proper identity theft program in place to $3,500 per transaction completed while a business is deemed out of compliance with the Red Flag Rules.
Though he thinks the FTC will work with businesses to help them get up to speed, Bradley also said, "I think that you can expect that [the FTC] will make examples of businesses that fail to have an ID theft program in place. ... In the egregious cases, you will probably see some enforcement action."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next