“Red Flag” Regulations Approaching Quickly

While the Fair and Accurate Credit Transactions Act of 2003 (FACTA) doesn’t
expressly include business-to-business transactions in its identity theft
prevention provisions, companies whose customers include both other companies
and consumers may be required to comply with FACTA’s "Red Flag" regulations. The
regulations, listed in Sections 114 and 315 of the Act, require companies to
establish prevention and recognition programs and take note of certain "red
flags" that may be indicative of identity theft. While FACTA was signed into law
five years ago, compliance with the red flag provisions will become mandatory
beginning November 1, 2008.

Consumers are the Act’s main focus, but while they constitute the largest
group of the Act’s protected customers, the regulations are based on risk and
depend more on the type of transaction or account than the customer’s class. The
regulations cover continuing deposit or credit relationships designed to permit
multiple payments or transactions on the part of the customer like, for example,
credit card accounts, mortgage loans, installment credit, margin accounts, cell
phone service or other utilities, checking accounts and savings accounts. The
regulations also vaguely apply to any other account where there is a reasonably
foreseeable risk of identity theft for the customer. The guidelines apply to all
financial institutions and creditors with accounts like the ones listed above,
so not all trade creditors will be affected. For those that are, an implemented
and maintained plan will be necessary.

A compliant company’s identity theft prevention program must include an
established list of relevant red flags consisting of patterns, practices or
specific activities that may indicate the existence of identity theft, culled
both from the company itself and from the text of the legislation. Additionally,
the program must account for the ability to detect the aforementioned red flags,
respond to the appearance of a red flag and adapt on a regular basis to stay up
to date.

While the majority of these regulations may not apply to most B2B companies,
regulations such as these tend to start in the consumer arena before expanding
to include businesses. Companies that conduct business with consumers, or
traffic in personal data, should take note of FACTA’s guidelines and suggestions
for preventing the occurrence of identity theft. For more information on these
regulations and how they could affect businesses in the future, stay tuned to
NACM’s eNews.

Jacob Barron, NACM staff writer

Leave a Reply

Your email address will not be published. Required fields are marked *