Legal Review: Flag on the Play: Are Your Ready for the FACTA Red Flags Rule?1 Feb, 2009 By: Linda A. Goldstein Response
In December 2003, the Fair and Accurate Credit Transaction Act (FACTA), a set of amendments to the Fair Credit Reporting Act (FCRA), afforded broad new rulemaking authority to the Federal Trade Commission (FTC) and other federal agencies. The latest of the FACTA rules, known by regulators as the "Red Flags" rules, are aimed at promoting the detection, prevention and mitigation of identity theft.
Linda A. Goldstein
One of the most controversial features of the FTC's version of these rules is its scope. They generally apply to any entity that permits any type of deferred payment — and contain additional requirements for entities that establish accounts designed to permit multiple payments or transactions.
Requirements and Duties for Creditors and Users
Creditors maintaining consumer credit accounts that allow multiple payments or transactions must implement an identity theft prevention program, including policies and procedures to identify, detect and respond to "Red Flags" — activities indicating the possible existence of identity theft. The FTC has also promulgated non-binding "Guidelines on Identity Theft Detection, Prevention and Mitigation."
Although the new rules allow some flexibility in the program, companies should implement most, if not all, of the non-binding recommendations, as FTC staff likely will view these guidelines as the "gold standard."
All users of consumer credit reports must now implement reasonable policies and procedures for dealing with consumer address discrepancies, upon receipt of a notice from a consumer-reporting agency. These policies and procedures must allow the company to form a reasonable belief that a consumer report relates to the same consumer about whom the user requested the report.
Under the FTC, any user of a consumer report must have a program in place to verify the identity of the person for whom the user requests a report. If a company obtains information about customers from consumer-reporting agencies, it must have a program in place.
The "Red Flags" rules also contain new requirements for issuers of debit or credit cards, including the establishment of policies and procedures to assess the validity of a consumer's request for change of address when the consumer requests an additional or replacement card shortly thereafter. The full compliance deadline for these new rules is April 30.
Expect that the agency will embark on a wide swath of investigations designed to produce enforcement actions, complete with high civil penalty demands by late 2009. Worse still, the rule provisions related to consumer report address discrepancies are subject to private enforcement by individual consumers and class actions.
What Should Marketers Be Doing Now?
Given the broad scope of these rules, many DR marketers will fall within its ambit. Examine your organization's practices in light of these two questions:
•Do you offer any form of deferred payment to consumers? If yes, do you have covered accounts? If so:
Identify what you already have. Locate any written policies or procedures your organization already has in place regarding consumer information.
Include what you already know. Chronicle any past experiences of consumer fraud or identity theft, as well as safeguards to prevent such incidences.
Form a team. Designate one person ultimately responsible to report to leaders, but also include knowledgeable folks from any area of your business that deals with consumers.
Focus your team. Unauthorized individuals may access and misuse consumer data relating to covered accounts in many ways. How do customer service reps confirm information provided on a previous order? Who accesses payment information?
Document conclusions and recommendations. The rule requires that you consider your risks, implement "reasonable measures" to address those risks, and document that process.
•Do you use any consumer reports provided by a nationwide consumer-reporting agency? If yes, document procedures for verifying customer or employee identity if you receive a notice of address discrepancy.