Businesses across the nation are under pressure to meet the Federal Trade Commission’s Nov. 1 deadline to have an identity theft prevention program in place. Eduard F. Goodman, general counsel and chief privacy officer with Identity Theft 911, says that many businesses will not meet the deadline, estimating that less one third of banks will not meet the deadline.

 

Businesses across the nation are under pressure to meet the Federal Trade Commission’s Nov. 1 deadline to have an identity theft prevention program in place. Eduard F. Goodman, general counsel and chief privacy officer with Identity Theft 911, says that many businesses will not meet the deadline, estimating that less one third of banks will not meet the deadline.
“The reality is the Federal Trade Commission and other institutes know that some businesses won’t be ready,” he stated and explained the commission’s Nov. 1 requirements related to consumer identity theft as part of the Fair and Accurate Credit Transactions (FACT) Act.
The FACT Act of 2003 added new sections to the federal Fair Credit Reporting Act, intended primarily to help consumers fight the growing crime of identity theft. Accuracy, privacy, limits on information sharing and new consumer rights to disclosure are included in FACTA.
Identity theft has spiraled to epidemic proportions with the commission estimating 10 million victims exist.
The Nov. 1 date the FCC set implements a “Red Flag Rule.”
The rule, outlined in three parts, says that companies that have accounts that experience multiple transactions must have a written identity theft protection in place to cover new and existing accounts.
Goodman says that about 11 million businesses are affected by the rule.
Almost every type of business may be affected, including dental offices with installment plans, insurance agencies, auto dealerships, banks and even newspapers. All must comply. The scope of businesses involved is very broad says Goodman and although a business may offer the same products and services, the program needed would not work for every company
“It’s not a one size fits all approach. The same two businesses may not need the same program,” he said. He suggested that business look to trade organizations for help with establishing an identity theft program.
“Red Flag applies to any business that has a covered account,” he said.
Goodman says that accounts for household purchases with multiple payments or periodic payments and accounts that are at risk of identity theft need to comply.
“Credit cards, I-Tunes accounts even movie rental accounts are affected,” Goodman commented.
Jeff Steele, compliance officer at Helena National Bank says the move was needed and offers the best possible protection for customers.
“I think it’s a great idea. It’s long overdue,” he stated. HNB and First Bank of the Delta are ready to implement the program to further protect their client’s identity, said banking officials Thursday.
Red Flag Guidelines and requirements for credit and debit card issuers call for the institutions to assess the validity of a change of address request and implement procedures to reconcile different consumer addresses.
Businesses that use consumer reports, under the new rules, must adopt a plan to detect, prevent and mitigate identity theft. The company’s board of directors or senior management must approve the plan. The rules identify certain signals of actual or attempted identity theft, but each company is left to establish plans based upon a risk assessment of its own operations.
Signals identified by the agencies as warranting increased alert include:
• Consumers notations on a credit report such as a fraud alert, active duty alert, or credit freeze.
• Unusual patterns in the consumers use of credit, such as a recent increase in inquiries or new credit accounts, changes in the use of credit, or accounts closed.
• Suspicious documents that appear to be alerted forged or reassembled. Or documents that include information that is inconsistent with the person applying for credit.
• Suspicious Social Security number, for example an SSN that has not been issued or is listed on the Social Security Administrations Death Master File. Another example would be one in which the SSN range does not match the date of birth or is the same SSN as provided by other persons opening an account.
• Suspicious address or phone number as follows: (a) the address or phone number is known to have been furnished on fraudulent applications; (b) the address either does not exist or is that of a mail drop or prison; (c) the phone number is invalid or associated with a pager or answering service; or (d) the address or phone number is the same or similar to information submitted by other persons opening accounts.
• Use of an account that has been inactive for an unreasonably lengthy period of time.
• Mail sent to the account holder is returned while transactions continue.
• Notice from the account holder or law enforcement that identity theft has occurred.
A common practice among identity thieves is to notify a credit or debit card issuer of a change of address. Soon after the change of address notice, the thief asks the card issuer for replacement cards.
Under the Red Flag Rule before a new or replacement card can be issued, card issuers must take steps to assess the validity of a change of address. This applies at least within the first 30 days after an address change notification. Extra steps are required whether the change of address notice comes directly from the consumer or from the Postal Service.
For more information about the Red Flag Rule visit www.privacyrights.org/fs/fs6a-facta.htm#1.