'Red Flags Rules' require merchants to help fight ID theft

'Red Flags Rules' go into effect Nov. 1

By Bobbi Dempsey

Editors note: On July 29, 2009, the Federal Trade Commission again delayed the deadline for compliance with its Red Flags Rules until Nov. 1, 2009. Click here to read the FTC's press release announcing the delay. 

Merchants will soon be required to more-equally share the burden of responsibility in protecting their customers from identity theft. On Nov.1, 2008, lenders and businesses that extend credit (including credit card issuers) are required to establish policies -- called the Red Flags Rules -- to help detect possible fraud.

The who, what, when, where and why of the new Red Flags Rules
Who: Financial institutions and creditors including car dealerships, finance companies, mortgage companies, utilities and other businesses that extend credit. When: Nov. 1 is the deadline to have a plan in place. Why: Identity theft and other types of fraud victimize more than 9 million Americans each year. How: Most of the specifics are left up to merchants to decide. They are simply required to have some kind of plan in place -- in writing -- and to make sure employees follow it. What types of accounts: The rules apply to "transactions accounts," which are accounts at a financial institution from which you make payments or transfers; and "covered accounts," which includes credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts and savings accounts." These aren't just personal/individual accounts -- the rules cover any accounts that might be at risk of identity theft, so accounts used by small businesses or individual proprietors would also be affected.

The Federal Trade Commission estimates that up to 9 million Americans will be victims of this crime every year. To try to combat the problem, new regulations will force businesses to step up their efforts to detect and prevent identity theft through the development of and adherence to more stringent fraud detection policies.

Businesses take a more active theft prevention role
Financial institutions and creditors -- including finance companies, car dealers and mortgage brokers -- have until Nov. 1 to establish written privacy protection programs in order to comply with the Red Flags Rules. This set of rules was an offshoot of the Fair and Accurate Credit Transactions Act (FACTA) of 2003, which amends the Fair Credit Reporting Act (FCRA).

"The idea behind the Red Flags Rules is that the burden should be shifted from the consumer to the business," says Eduard F. Goodman, general counsel and chief privacy officer at Identity Theft 911, an identity-theft education solutions organization. "Of course, it's important for consumers to be careful and smart about protecting their information, but it's no longer just their responsibility. After all, businesses are the gatekeepers of the information."

The Red Flags Rules were created as part of a joint effort between the FTC, the National Credit Union Administration (NCUA) and the federal bank regulatory agencies. The rules require the financial institution or creditor to have some kind of written policy in place "that can identify a potential case of identity theft." The FTC compiled a list of 26 such red flags, including unusual account activity, invalid personal information and documents that look suspicious.

In simple terms, this means each business must establish a policy for spotting danger signs -- say, if the address on a credit application doesn't match the one on the credit report for that person -- and outline steps to handle them. Steps could range from requiring further documentation to denying the application.

Initial culture shock
Failure to comply means the risk of fines from the FTC and other government agencies, plus the possibility of lawsuits from consumers who suffer identity theft losses due to inadequate protection policies. Most likely, there will be a grace period while businesses get their programs up to speed. "I'm guessing they probably won't start enforcing this for at least six months or so," Goodman says.

In the beginning, the initial execution may be a hassle for both sides. "Businesses and consumers alike are going to experience some initial culture shock as a result of the Red Flags Rules implementation," says Joe Campana, author of "Privacy Makeover: The Essential Guide to Best Practices." (Compliance documents and other resources are available at the book's companion Web site.)

"The businesses are going to have to experience the implementation process, which may be painful for some, and the consumers are going to be experiencing a little more scrutiny when they apply for a new financial or credit account or when they attempt to change an existing account," says Campana.

Who needs to create Red Flags rules?
The Red Flags Rules apply to financial institutions and businesses that grant credit. It's the second category that gets a little fuzzy. In a Red Flags Rules bulletin, the FTC defines a creditor as "any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit." The bulletin goes on to say, "Where nonprofit and government entities defer payment for goods or services, they, too, are to be considered creditors."

That means that even colleges and universities could be subject to these rules, under certain conditions -- such as if they serve as a lender in various student loan programs, or if they offer a payment plan in which students can pay tuition in installments.

For small businesses, it might be especially tough to meet the Nov. 1 deadline. "Most large businesses have already been doing this for some time," says Goodman. "The reality is, small and midsized businesses haven't really been thinking about this. They've been too busy running their businesses."

Consumer comfort brings inconvenience
What about the inconvenience for consumers? "Consumers may notice a few extra questions being asked, or requests for supporting documentation in certain circumstances, like when they open a new or try to change an existing financial or credit account," says Campana. "Rather than challenge the employee at the institution that requests the information, I'd suggest that we thank them for asking!"

Goodman says much of the Red Flags process will take place behind the scenes, so consumers will probably be unaware of them. "There are more steps in the background. For example, businesses need to be alert for customers who have a fraud alert on file," he says. Ideally, this process will be painless -- and invisible. "A good Red Flag program is one where the consumer won't even notice," Goodman says. "It will seem to be just business as usual."

How can consumers know if a business is abiding by the rules? "I think businesses may give a general notice, like 'We are Red Flag compliant.' But they're not going to give specific details, because that would enable thieves to try and pinpoint weak spots or figure out how they can work around it,." says Goodman.

A tipoff: If you have a fraud alert on record and the lender or creditor doesn't ask about it or contact you, then they probably didn't check.

While the new rules may involve a little extra paperwork and a few additional questions, the experts say it's worth it. "The almost inconsequential time consumers are going to spend being asked some additional questions could literally save them thousands -- if not tens of thousands -- of dollars, hundreds of hours of time, and the distraught of becoming an identity theft victim," says Campana. "I believe that if the Red Flags Rules are implemented and practiced, that we will see a sharp decline in identity theft, especially the types that result in financial fraud."

Updated: July 29, 2009