Many human-owned businesses (mine and very possibly yours) are required by the Fair and Accurate Credit Transactions Act of 2003 (FACT) to have a written policy and procedures to avoid identity theft in place by August 1, 2009.
The fact that this “Red Flags Rule” comes under FACT may lead some to assume the rule applies only to banks and credit card issuers. Wrong. This rule applies to the many of us in business who extend credit to our customers.
My law partner Barb Wells (get to know her better from my post Cuba Invades) tells me that rule applies to most any business that provides goods or services and bills for them later if there is a “foreseeable risk of identity theft,” such as in small business accounts, or where the credit granted is for mostly personal, family or household purpose. Merely accepting credit card payments does not bring you under the rule, but if you, like me, send a bill after giving value (time or things) to your customer, read on.
The Red Flags rule is intended to help both business and consumers avoid harm from identify theft. For example, the business that regularly bills for goods or services after the customer receives them can be harmed if the customer account was opened by an identity thief and the person whose identity was stolen can also be harmed. When the account can be accessed by the internet or telephone, the possible identity theft issues are greater than when the customer actually comes to the office and is known to you.
If the rule applies, your business must have a written policy and procedures to identify the red flags the business believes will indicate possible identity theft, a process to follow to be alert to those red flags, and a procedure to follow when a possible issue is detected. Once in place, company employees must be properly trained in the program and the company’s program must be reviewed at least annually. Lastly, the Red Flags Rule requires that your service providers with access to customer or vendor accounts (such as a computer servicing company), also have their own policy and procedures in place. The FTC’s How To guide on the red flags rule can be found here.
Many human-owned businesses that extend credit probably have implemented something along these lines—after all fraud prevention is good business—but now you need to make sure what you do meets the government mandate. And, by the way, the FTC has authority to fine you for your failure to comply. Many investigations of non-compliance will come only after an identity theft loss has occurred; don’t risk adding insult to injury, see your business lawyer and get your compliance program in place as soon as possible.
Monday, July 27, 2009
Subscribe to:
Post Comments (Atom)
This subject is becoming so much more important every year as we see so many Americans being targeted by identity thieves. It is now so big that Businesses across the world lose $221 billion a year due to identity theft. Since the FTC announced their plans to setup the Red Flags Compliance Rules, my colleagues and I have been working hard to assist companies with this, as we have all been involved in the Finance Risk Management industry for many years. If anyone needs any help with this, please do not hesitate to contact us and you can do this via our website at www.idsure.org. One of the biggest problem we find businesses and consumers have is actually identifying whether an "ID" like for example, a driver's license is a real one or not and this is how we can help. At a push of a button we can stop you being the target or stop others being the target of identity fraud.
ReplyDelete