This decision to extend is said to be largely due to complaints from creditors that they were unaware of the existence of the new regulation and some say they only found out after the deadline had passed. This deadline according to the official press release only applies to organizations that are not under the jurisdiction of any of the other regulatory agencies other than the Federal Trade Commission. FACTA requires financial institutions and creditors to implement a written identity theft prevention program that should help detect identity theft, hopefully before any damage is done. If identity theft is not detected, the regulation calls for the financial institution or the creditor to reduce the risk to the consumer and the organization.

Many creditors have complained that there is not a clear cut way of indicating how they will be audited, and it has not been indicated how penalties will be assessed. The FTC Enforcement Policy now clearly defines all the parameters for creditors to follow. Going forward there will be no question that if you fit into the category of “creditor” you will be required to comply with Red Flag Rules. Still many organizations feel they are flying under the radar or won’t be caught. What does a company have to gain by allowing identity theft to occur?

Rules to be followed range from watching for suspicious social security numbers that may be on the Security Administration’s Death Master File to suspicious, or repeated, address or phone number tracking. Plain and simple, following Red Flag Rules will reduce identity theft and every business should want to participate in keeping our personal information safe.

For example, car dealerships fear they will not be able to comply. Since car dealers extend auto financing, they are considered creditors. Dealerships argue that it is very difficult to detect suspicious or unusual activity, and most of their staff is not trained to look for these types of things. According to Andrew Koblenz, the National Automobile Dealers Association’s general counsel, “We want to fight identity theft, and dealers have a tremendous self-interest in not selling a car to an identity thief, but the real world impact is that it would burden dealers.” Auto dealers speculate it could add as much as five hours to the loan application process.

The healthcare industry also falls into the category of creditor. If a hospital offers payment plans so patients can pay in installments, the hospital would be considered a creditor as well. Non-profit organizations and government entities that defer payment for goods or services are also considered a creditor. For the healthcare industry, the Federal Trade Commission is responsible for interpreting and enforcing the Red Flag Rules.

Any industry that processes multiple payments or transactions such as credit card accounts, mortgages, car loans, or cell phone accounts, or any industry that has a reasonably foreseeable risk to the customers or the creditor of identity theft, is subject to these Red Flag Rules.

If you are in an industry that fits any of the above criteria, your time is winding down. Here are some basic steps to becoming compliant:

1. You must put your process for identifying theft in writing.
2. Your program must include policies and procedures for identifying Red Flags, and incorporate those Red Flags into the program. Ensure your program is updated periodically.
3. Make sure the program is appropriate for the size and complexity of the company and scope of activities.
4. The program must be approved, and regularly reviewed by a board of directors and appropriate committee of the board.  It must include training for staff to effectively implement the program.
5. Creditors must frequently conduct risk assessment to determine whether it offers or maintains revolving accounts.

On November 1^st 2008 FACTA has a deadline in place called the Identity Theft Red Flags Rule. Red Flags are indicators of a possible risk of identity theft. Red Flag rules listed in Section 114 of FACTA explains each rule and how to develop ID theft prevention programs. These rules apply to any business, bank, or issuer that offers credit or any type of finance option. Many financial institutions are not taking the deadline seriously since the first Office of Thrift Supervision audits will not occur until February of 2009. Merchants all together have become savvier and typically try to comply and report any red flags, but some may not know who to report these red flags to.

Although we all want our credit card information to be secure, it seems that merchants are not getting a fair shake when it comes to FACTA. Many class action lawsuits have been filed against a number of retailers. Recently, there was a class action law suit filed seeking willful damages based on printing of credit card expiration dates on receipts. The merchant was seeking $100 to $1000 for each violation. This applies to both paper and electronic receipts. Most mom and pop merchants would expect that their card processor would ensure that they are up to code. This is not always the case. Merchants should review the FACTA rules regardless of their size. The Supreme Court is currently reviewing willfulness and “reckless disregard” and expects to have a decision this quarter.