According to the Federal Trade Commission (FTC), in 2006, there were nearly 10 million victims of identity theft in the United States. The cost to businesses and individuals was roughly $53 billion; a staggering bleed out as consumers lost wages and businesses were forced to write-off merchandise purchased fraudulently.
After a six-month delay, the May 1, 2009 deadline for companies to be in compliance with the FTC's Red Flags Rules regulation is fast approaching. The regulations will require most creditors and financial institutions to adopt a written program to detect, prevent and mitigate identity theft in connection with the opening of a covered account or any existing covered account. A "red flag" is a pattern, practice or specific activity that could indicate identity theft. The FTC lists 26 red flags, but that list is far from complete. A covered account, as it pertains to business creditors, is any account designed to permit multiple payments or transactions or for which there is any reasonably foreseeable risk from identity theft.
The FTC and NACM have partnered together to educate members of their responsibilities and the initiatives they should take to ensure those affected are in compliance with the federal regulation. In the second joint teleconference between the FTC and NACM, the FTC's Manas Mohapatra, attorney, Division of Privacy and Identity Protection, Bureau of Consumer Protection, outlined what the agency expects business creditors to put into place.
"Many people confuse data security with the Red Flags Rules," said Mohapatra. "These are two distinct but related concepts. Data security is aimed at protecting the personal information that you have about your customers. The Red Flags Rules pick up where data security leaves off."
He added, "Despite the best of efforts, thieves do steal people's information. Red Flags Rules are aimed at stopping and identifying identity thieves from using someone else's personal information at your organization to commit fraud or illegally obtain goods and services."
To help companies establish their policy, the FTC has published a list of guidelines, divided into seven steps: incorporating existing policies and procedures, identifying relevant red flags, setting up procedures to detect red flags, responding appropriately to red flags, updating the program, administering the program and considering other legal requirements. The FTC continues to stress that a creditor doesn't have to start from scratch on their program; they can tailor their program and build upon fraud or security measures they might already have in place.
"The guidelines state that a financial institution or creditor doesn't have to build the Red Flags program from scratch. You can incorporate relevant existing policies and procedures, such as from existing fraud prevention programs or information security programs. Then, look for gaps that need to be filled," said Mohapatra.
In reality, most companies would simply need to write down the policies and procedures they use to verify the identity of their customers, and what they do when they discover that the information on a credit application or purchase order is suspected to be fraudulent or compromised. As long as those steps are outlined and a board of directors or senior management agrees upon them, a company has met the FTC's general requirements. The other positive aspect of going forward and developing this policy is that part of the Red Flags Rules guidelines requires that companies periodically check to ensure that the accounts they offer are not subject to a reasonably foreseeable risk of identity theft. So, though those accounts may not be susceptible now, it does not mean that the same can be said months or years down the road. The standard with the Red Flags Rules is a reasonably foreseeable risk of identity theft, not any risk of identity theft.
"Each business is unique and there's no one-size-fits-all program," said Mohapatra. "You know your business inside and out so you tailor your program to your business and the risks you face."
The purposefully ambiguous wording of the FTC regulation means its jurisdiction can be broad, and NACM has been actively advising members to be proactive and develop their own Red Flags program. Any credit professional in need of a thorough run-down of the regulation can turn to the March issue of Business Credit magazine where NACM provides members a detailed explanation and breakdown of the rules' tenets, as well as a sample policy that credit managers can use as a guide to construct their own Red Flags program.
"I want to clarify that accepting credit cards does not make you a creditor," said Mohapatra. "There, the entity extending the credit is the organization that issued the credit card. The fact that you accept a credit card will not on its own make you a creditor. If you are extending credit—providing products and services that people can pay for after they have been delivered—under FACTA and the ECOA that is considered credit. There's no distinction between consumer or business credit. If you are extending business credit, then you probably fall under the creditor wing of this rule."
For more information on the FTC's Red Flags Rules, visit www.ftc.gov or refer to the March issue of Business Credit magazine.
Matthew Carr, NACM staff writer