In this month’s segment, we will review the new sections of the FACTA law and their potential impact on your business. FACTA, or The Fair and Accurate Credit Transactions Act, is a FTC law scheduled to expand on August 1 with the addition of the Red Flags Rule. Originally adopted in 2003, the law’s sections have expanded over the years. The law’s design is to assist consumers in fighting identity theft and providing for better control over their personal information that businesses collect or maintain.
Some of the sections of FACTA you may already be familiar with include the annual free credit report, fraud alerts on credit reports, and the truncation of credit card numbers on receipts. The new Red Flags Rule will accompany these provisions. “The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program to detect the warning signs – or “red flags” – of identity theft”, according to the FTC’s website. The Red Flags Rules apply to “financial institutions” and “creditors” with “covered accounts”.
According to the FTC materials, “under the Rules, a financial institution is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a “transaction account” belonging to a consumer. A transaction account is a deposit or other account from which the owner makes payments or transfers. Transaction accounts include checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts. A creditor is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. The definition also includes businesses or organizations that regularly defer payment for goods or services or provide goods or services and bill customers later and a business that regularly grants loans, arranges for loans or the extension of credit, or makes credit decisions. Creditors include finance companies, automobile dealers, real estate agents, mortgage brokers, utility companies, telecommunications companies, and retailers that offer financing or help consumers get financing from others. This can also apply to landlords with renters. Where non-profit and government entities defer payment for goods or services, they, too, are to be considered creditors. A covered account is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. A covered account is also an account for which there is a foreseeable risk of identity theft – for example, small business or sole proprietorship accounts.”
To comply with the new rules, businesses “must develop a written Program that identifies and detects the relevant warning signs – or “red flags” – of identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. The program must be managed by the Board of Directors or senior employees of the [company], include appropriate staff training, and provide for oversight of any service providers”. This means that if your business must comply, you also must ensure compliance of the Rules by the companies you use for operations. Even if you are not a “financial institution” or a “creditor” and do not have “transaction accounts” or “covered accounts” and do not need to have any written Program you must still conduct a periodic risk assessment to help you determine if you’ve acquired any covered accounts through changes to your business structure, processes, or organization. Failure to comply with the new rules can result in FTC fines and mandated long-term remediation plans in addition to negative publicity and possible loss of business.
More information is available from the FTC websites and general Internet searches. As with any new regulation, proper legal advice is advised. You can also submit questions to Planning@TPComps.com.
References:
http://www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm
http://www.ftc.gov/bcp/edu/microsites/redflagsrule/more-about-red-flags.shtm
Monday, June 29, 2009
Subscribe to:
Posts (Atom)
Posts
