Merchant Account Types
Merchant Account Providers
News & Advice
Merchant Account Tools
'Red Flags Rules' require merchants to help fight ID theft
'Red Flags Rules' go into effect Nov. 1
By Bobbi Dempsey
Editors note: On July 29, 2009, the Federal Trade Commission again delayed the deadline for compliance with its Red Flags Rules until Nov. 1, 2009. Click here to read the FTC's press release announcing the delay.
Merchants will soon be required to more-equally share the burden of responsibility in protecting their customers from identity theft. On Nov.1, 2008, lenders and businesses that extend credit (including credit card issuers) are required to establish policies -- called the Red Flags Rules -- to help detect possible fraud.
The Federal Trade Commission estimates that up to 9 million Americans will be victims of this crime every year. To try to combat the problem, new regulations will force businesses to step up their efforts to detect and prevent identity theft through the development of and adherence to more stringent fraud detection policies.
Businesses take a more active theft prevention role
"The idea behind the Red Flags Rules is that the burden should be shifted from the consumer to the business," says Eduard F. Goodman, general counsel and chief privacy officer at Identity Theft 911, an identity-theft education solutions organization. "Of course, it's important for consumers to be careful and smart about protecting their information, but it's no longer just their responsibility. After all, businesses are the gatekeepers of the information."
The Red Flags Rules were created as part of a joint effort between the FTC, the National Credit Union Administration (NCUA) and the federal bank regulatory agencies. The rules require the financial institution or creditor to have some kind of written policy in place "that can identify a potential case of identity theft." The FTC compiled a list of 26 such red flags, including unusual account activity, invalid personal information and documents that look suspicious.
In simple terms, this means each business must establish a policy for spotting danger signs -- say, if the address on a credit application doesn't match the one on the credit report for that person -- and outline steps to handle them. Steps could range from requiring further documentation to denying the application.
Initial culture shock
In the beginning, the initial execution may be a hassle for both sides. "Businesses and consumers alike are going to experience some initial culture shock as a result of the Red Flags Rules implementation," says Joe Campana, author of "Privacy Makeover: The Essential Guide to Best Practices." (Compliance documents and other resources are available at the book's companion Web site.)
"The businesses are going to have to experience the implementation process, which may be painful for some, and the consumers are going to be experiencing a little more scrutiny when they apply for a new financial or credit account or when they attempt to change an existing account," says Campana.
Who needs to create Red Flags rules?
That means that even colleges and universities could be subject to these rules, under certain conditions -- such as if they serve as a lender in various student loan programs, or if they offer a payment plan in which students can pay tuition in installments.
For small businesses, it might be especially tough to meet the Nov. 1 deadline. "Most large businesses have already been doing this for some time," says Goodman. "The reality is, small and midsized businesses haven't really been thinking about this. They've been too busy running their businesses."
Consumer comfort brings inconvenience
Goodman says much of the Red Flags process will take place behind the scenes, so consumers will probably be unaware of them. "There are more steps in the background. For example, businesses need to be alert for customers who have a fraud alert on file," he says. Ideally, this process will be painless -- and invisible. "A good Red Flag program is one where the consumer won't even notice," Goodman says. "It will seem to be just business as usual."
How can consumers know if a business is abiding by the rules? "I think businesses may give a general notice, like 'We are Red Flag compliant.' But they're not going to give specific details, because that would enable thieves to try and pinpoint weak spots or figure out how they can work around it,." says Goodman.
A tipoff: If you have a fraud alert on record and the lender or creditor doesn't ask about it or contact you, then they probably didn't check.
While the new rules may involve a little extra paperwork and a few additional questions, the experts say it's worth it. "The almost inconsequential time consumers are going to spend being asked some additional questions could literally save them thousands -- if not tens of thousands -- of dollars, hundreds of hours of time, and the distraught of becoming an identity theft victim," says Campana. "I believe that if the Red Flags Rules are implemented and practiced, that we will see a sharp decline in identity theft, especially the types that result in financial fraud."
Updated: July 29, 2009