Under federal regulations which became effective in 2010, businesses which provide credit to customers must have an identity theft protection program in place and take certain other actions to protect against identity theft. The Federal Trade Commission (FTC), acting with the federal bank regulatory agencies, and the National Credit Union Administration, have jointly issued regulations under the Fair and Accurate Credit Transactions (FACT) Act of 2003, called the “Red Flags Rules,” requiring certain businesses to develop and implement written identity theft prevention programs. Although targeted at finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies, the regulations cover any business that is a “creditor.” A creditor is defined by the regulations very broadly as “any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit.” Accepting credit cards, however, does not in and of itself make a business a “creditor.”
If a business is covered by the regulations, it must develop written policies to identify patterns, practices, or specific activities, known generally as “red flags,” that could indicate the presence of identity theft. Just as varied as the businesses regulated under these new provisions, “red flags” can take many forms, but these certainly include the use of suspicious documents or personal identification, such as a phony address, unusual account activity, and alerts on credit reports. Appropriate procedures could include criminal background checks upon the hiring of staff, limiting the distribution of information, and verification procedures for identification. A business covered by the regulations must also have procedures describing appropriate responses that would prevent and mitigate an identity fraud, and a schedule for keeping the program up-to-date through periodic reviews. The program must be managed by the senior employees of the business, and provide for training and for the oversight of any service providers. Compliance guides, templates and other helpful material is available through the Red Flags Rule website found at www.ftc.gov/redflagsrule.