The Fair and Accurate Credit Transactions (FACT) Act (or FACTA) first passed in 2003, and its resulting “Red Flags Rule” regulation promulgated in late 2007, require that creditors develop and implement an Identity Theft Prevention Program (ITP) to prevent and mitigate identity theft.

 

After some controversy about what businesses are “covered” by the Rule, Congress passed the Red Flags Clarification Act (RFCA) in 2010. Although the RFCA does provide better guidance as to who must comply with the Red Flags Rule, it also broadened the scope of the Rule. The Red Flags Rule specifically identifies a creditor as a business or institution that regularly and ordinarily—

 

   > obtains and uses consumer reports in connection with a credit transaction, or

 

   > furnishes information to a consumer reporting agency (CRA), or

 

   > advances funds directly to or on behalf of a person based on an obligation to repay the funds or

      is repayable from specific property pledged by or on behalf of the person.

 

Notably, the Clarification Act exempts businesses that merely permit deferred payments by their customers so long as the businesses do not meet one of the foregoing conditions. For example, a business that regularly uses credit reports to determine whether or not to permit deferred payment would need to comply with the Rule because it meets the first condition. But businesses such as doctors’ offices, accountants, consultants, landscapers, and hardware stores that simply defer billing but do not pull credit reports or report to CRAs routinely, would be exempt from the Rule. Among the types of businesses that typically are “covered” by and must comply with the Red Flags Rule are:

 

   > Banks and credit unions

   > Investment companies

   > Insurance agencies and agents
   > Apartment complexes that screen tenants
   > Utility and telephone companies

   > Municipalities providing utilities (water, sanitation, energy, gas, etc.)

   > Real estate management groups
   > Debt collection agencies
   > Auto dealerships that take and process loan applications for lenders
   > Payday loan companies
   > Any institution that makes or processes loans (or their third-party vendors)

 

We provide a turnkey solution to the Red Flags Rule that provides your business with a proprietary identity theft risk assessment and mitigation system. Our solution considers all factors required by the Red Flags Rule plus our own optional factors that impact favorably on a business’ overall security posture and enterprise-wide risk mitigation programs.

 

Once our solution is applied and implemented it provides our clients with an accurate and dynamic risk score. If the risk assessment and score determine that a business is out of compliance, the system’s what-if feature guides clients toward compliance or, if compliant, clients can improve their risk posture even more.