Under the Fair and Accurate Credit Transactions Act (“FACTA”), Congress in 2003 mandated that businesses which extend credit to consumers for personal, family or household purposes must adopt policies and procedures designed to identify instances of possible “identity theft” in connection with transactions/requesting such credit. The regulations promulgated by the Federal Trade Commission (“FTC”) implementing FACTA’s provisions are referred to as the “Red Flags Rule,” because the procedures adopted by businesses are supposed to identify “red flags” that signal a risk of identity theft in connection with a consumer credit transaction. After deferring the effective date of the Red Flags Rule four times, the deadline for affected businesses to comply is now June 1, 2010.
On its face, FACTA would not appear to apply to many direct marketers or Internet sellers, who most often do not extend credit, themselves, but instead rely on credit cards. The requirements of FACTA, however, extend to those retailers that sell products or services on installment plans or otherwise extend credit to consumers. In addition, retailers that offer private label or co-brand credit cards (i.e. the retailer’s name appears on the credit card) may also be affected, even if they do not act as the issuer of the card. This is because the FTC’s Red Flags Rule also applies to service providers and others who assist creditors (the card issuer) in receiving or processing requests for credit. Furthermore, FTC staff has indicated their intent to apply the Red Flags Rule very broadly, so that the rule may be applied even to transactions involving the extension of credit to sole proprietorships, on the theory that such transactions involve a risk of identity theft for the individual operating such a business.
If your company is required to comply with the Red Flags Rule, you will need to adopt procedures satisfying certain prescribed elements, tailored to your particular business. In addition, you should be aware that Congress (perhaps to demonstrate the seriousness it ascribes to the growing crime of identity theft) expressly mandated in FACTA that affected businesses and institutions must ratify their Red Flags procedures through action of the company’s board of directors or a committee of the board of directors.
Determining your obligations under FACTA, if any, and adopting appropriate procedures requires careful consideration of your various business activities with the assistance of experienced counsel. The downside of failure to adopt Red Flags procedures is not limited to enforcement action by the FTC –– worse, by far, would be the consumer and public relations problems following a data breach of sensitive customer information without having a required FACTA plan in place to identify potential risks of identity theft. The good news is that the analysis of whether a plan is required, and the subsequent crafting and adoption of a plan, need not be burdensome.