| On August 1st, 2009 the FACTA Red Flag Rule | | | | Banks and Financial institutions - Everything from |
| goes into effect. If you're the average small | | | | the local bank to credit cards to mortgage |
| business owner you haven't even heard about the | | | | brokers. |
| Red Flag Rule. You might also think it only applies | | | | Schools - Any school, college or university who |
| to financial institutions. However, these new | | | | provides or accepts financial aid. |
| regulations affect almost every business. The | | | | There are numerous methods to get in |
| rules can be onerous to comply with and come | | | | compliance. At the high end is bringing in a law |
| with sharp teeth. Not a good combination for small | | | | firm to go over all of your business practices and |
| businesses struggling just to stay afloat. | | | | design a custom program. This is very expensive |
| So what is the Red Flag Rule? In short it requires | | | | but is the most thorough and you are all but |
| businesses to develop and implement a program | | | | certain of compliance. At the bottom end is an |
| that will identify potential identity theft through | | | | off the shelf solution. They are not very |
| suspicious activities. These patterns of suspicious | | | | expensive but may require a great deal of |
| activities are called "red flags." Every business | | | | customization and have no assurance that your |
| must create a compliance program to identify and | | | | business will be in compliance. |
| respond to red flags. Once developed, employees | | | | Any solution you choose needs to have some |
| must be trained on the program. | | | | basic components. The FTC mandates these four |
| The Red Flag Rule is enforced by the Federal | | | | parts: |
| Trade Commission (FTC). However, as with other | | | | |
| recent privacy legislation, there are allowances for | | | | 1. Identity relevant red flags. - Identify the |
| individuals to seek damages from businesses. In | | | | warning signs of identity theft that are specific to |
| other words, trial lawyers will be salivating to put | | | | your business. Some common ones are suspicious |
| together class action lawsuits. After August 1st, if | | | | documents, changes of address, warnings from |
| an employee fails to recognize an identity theft | | | | credit agencies, and notices from victims or law |
| red flag and report it, the penalty could be a | | | | enforcement. |
| financially crippling lawsuit. | | | | 2. Detect red flags. - Put in procedures that will |
| The rule applies to any business that offers or | | | | detect the red flags in day-to-day business |
| connects customers to credit. Almost every | | | | practices. |
| business qualifies including: | | | | 3. Prevent and mitigate identity theft. - Put in |
| Medical Practices - Because payment is made via | | | | reasonable responses when red flags are |
| an insurance company the FTC has ruled that | | | | detected. This includes monitoring or closing |
| medical offices must comply. The AMA has been | | | | accounts, not opening an account or notifying |
| unsuccessful in getting relief from the rule with an | | | | potential victims of a problem. |
| argument that practices are already covered by | | | | 4. Update your program periodically. - Every |
| HIPAA. | | | | program should be evaluated and updated for |
| Retail Stores - The only exception is if a store | | | | business practice changes and identity theft |
| deals exclusively in credit cards and cash. If a | | | | trends. |
| store allows purchases via credit, internal or | | | | Once you have created a compliance program |
| external, they must comply. This is everyone | | | | you will need to educate your employees. This |
| who sends out invoices. | | | | means more than just handing out a document |
| Services - Phone companies, cell phones, power | | | | but actively working with them to protect all the |
| companies or anyone else that extends credit. | | | | private information in your care. All training should |
| Car Dealerships - This includes boat sales, RVs, | | | | be documented for compliance records. |
| motorcycles and power sports. | | | | |