Getting Started with Red Flag Rule Compliance

On August 1st, 2009 the FACTA Red Flag Rule goes into effect. If you're the average small business owner you haven't even heard about the Red Flag Rule. You might also think it only applies to financial institutions. However, these new regulations affect almost every business. The rules can be onerous to comply with and come with sharp teeth. Not a good combination for small businesses struggling just to stay afloat.

So what is the Red Flag Rule? In short it requires businesses to develop and implement a program that will identify potential identity theft through suspicious activities. These patterns of suspicious activities are called "red flags." Every business must create a compliance program to identify and respond to red flags. Once developed, employees must be trained on the program.

The Red Flag Rule is enforced by the Federal Trade Commission (FTC). However, as with other recent privacy legislation, there are allowances for individuals to seek damages from businesses. In other words, trial lawyers will be salivating to put together class action lawsuits. After August 1st, if an employee fails to recognize an identity theft red flag and report it, the penalty could be a financially crippling lawsuit.

The rule applies to any business that offers or connects customers to credit. Almost every business qualifies including:

Medical Practices - Because payment is made via an insurance company the FTC has ruled that medical offices must comply. The AMA has been unsuccessful in getting relief from the rule with an argument that practices are already covered by HIPAA.

Retail Stores - The only exception is if a store deals exclusively in credit cards and cash. If a store allows purchases via credit, internal or external, they must comply. This is everyone who sends out invoices.

Services - Phone companies, cell phones, power companies or anyone else that extends credit.

Car Dealerships - This includes boat sales, RVs, motorcycles and power sports.

Banks and Financial institutions - Everything from the local bank to credit cards to mortgage brokers.

Schools - Any school, college or university who provides or accepts financial aid.

There are numerous methods to get in compliance. At the high end is bringing in a law firm to go over all of your business practices and design a custom program. This is very expensive but is the most thorough and you are all but certain of compliance. At the bottom end is an off the shelf solution. They are not very expensive but may require a great deal of customization and have no assurance that your business will be in compliance.

Any solution you choose needs to have some basic components. The FTC mandates these four parts:

1. Identity relevant red flags. - Identify the warning signs of identity theft that are specific to your business. Some common ones are suspicious documents, changes of address, warnings from credit agencies, and notices from victims or law enforcement.


2. Detect red flags. - Put in procedures that will detect the red flags in day-to-day business practices.


3. Prevent and mitigate identity theft. - Put in reasonable responses when red flags are detected. This includes monitoring or closing accounts, not opening an account or notifying potential victims of a problem.


4. Update your program periodically. - Every program should be evaluated and updated for business practice changes and identity theft trends.

Once you have created a compliance program you will need to educate your employees. This means more than just handing out a document but actively working with them to protect all the private information in your care. All training should be documented for compliance records.

Steven Hastert is an expert on Federal Privacy Laws. He works with business to keep them in compliance with HIPAA, FACTA and the Red Flag Rule. For document shredding he recommends the pros at Shred Nations.