Although Red Flag Rules were created to protect against identity theft, are some types of businesses more affected then others? In previous blogs I wrote about how merchants are not getting a fair shake when it comes to these rules, and many law suits have been filed against merchants. Different industries face government fines because they say some of the rules are difficult to follow.
For example, car dealerships fear they will not be able to comply. Since car dealers extend auto financing, they are considered creditors. Dealerships argue that it is very difficult to detect suspicious or unusual activity, and most of their staff is not trained to look for these types of things. According to Andrew Koblenz, the National Automobile Dealers Association’s general counsel, “We want to fight identity theft, and dealers have a tremendous self-interest in not selling a car to an identity thief, but the real-world impact is that it would burden dealers.” Auto dealers speculate it could add as much as five hours to the loan application process.
The healthcare industry also falls into the category of creditor. If a hospital offers payment plans so patients can pay in installments, the hospital would be considered a creditor as well. Non-profit organizations and government entities that defer payment for goods or services are also considered a creditor. For the healthcare industry, the Federal Trade Commission is responsible for interpreting and enforcing the Red Flag Rules.
Any industry that processes multiple payments or transactions such as credit card accounts, mortgages, car loans, or cell phone accounts, or any industry that has a reasonably foreseeable risk to the customers or the creditor of identity theft, is subject to these Red Flag Rules.
If you are in an industry that fits any of the above criteria, your time is winding down. Here are some basic steps to becoming compliant:
- You must put your process for identifying theft in writing.
- Your program must include policies and procedures for identifying Red Flags and incorporate those Red Flags into the program. Ensure your program is updated periodically.
- Make sure the program is appropriate for the size and complexity of the company and scope of activities.
- The program must be approved, and regularly reviewed by a board of directors and appropriate committee of the board. It must include training for staff to effectively implement the program.
- Creditors must frequently conduct risk assessment to determine whether it offers or maintains revolving accounts.