EXECUTIVE SUMMARY

FACTA, Identity Theft and The Red Flags Rules

The Fair and Accurate Credit Transactions Act (FACTA), essentially an amendment to the Fair Credit Reporting Act, became law in 2003. A basic premise of the law is the identification of the potential for, as well as the prevention of, identity theft. While that sounds relatively simple in concept, it was, for years, confusing as to exactly what actions were required to do this and by which types of businesses. Such was the outcry and “panic” that Congress ultimately delayed full compliance until 12/31/10. Even now, there are still some questions about what needs to be done to comply.

Tom Gannon, CCE

Director of Research & Education Federation of Credit and Financial Professionals

FACTA, Identity Theft and The Red Flags Rules The Fair and Accurate Credit Transactions Act (FACTA), essentially an amendment to the Fair Credit Reporting Act, became law in 2003. A basic premise of the law is the identification of the potential for, as well as the prevention of, identity theft. While that sounds relatively simple in concept, it was, for years, confusing as to exactly what actions were required to do this and by which types of businesses. Such was the outcry and “panic” that Congress ultimately delayed full compliance until 12/31/2010. Even now, there are still some questions about what needs to be done to comply. In fact, I had a recent experience that prompted this paper. A dripping faucet prompted the purchase of a replacement cartridge from a local distributor. When I presented my credit card, the counterman had to go upstairs to a cashier to have it processed. Why? There were no card machines at the counter! This particular distributor is reputable, and they have been around for years, so I hope that everything is fine. However, the experience, as minor as it appears, did ring a few bells, since I had direct experience with drafting and implementing a program to adhere to compliance rules. Does this company have to comply with The Red flags Rules? Absolutely. Why? They fall under the definition of a creditor having “covered accounts”, as nebulous as that sounds. A “covered account” is any account, or customer file, that has the potential for identity theft. The key word here is “potential”. So, if the creditor’s file includes a customer’s personal information, such as a Social Security Number (SSN), home address, home or cell phone numbers and anything similar, it falls under the law. Even if a company sells only to businesses, there is still a high probability that its files contain this type of information. Credit applications, business loan documents, invoices, monthly statements and so on can include these items. Therefore, under The Red Flags Rules, the company has to act. In fact, even if the company does not do business with the public, it may still have similar information on file for its employees. For instance, a company may pull a consumer credit report on an employee, with written permission, of course. How about health insurance claims? Employment applications? The first step in the process for compliance is to identify the potential for identity theft within your organization. Simply put, does your company maintain, receive or use this kind of personal information? If so, then you are required, as stipulated by the Federal Trade Commission, the enforcement agency for The Red Flags Rules, to draft a program. The program must be in writing, and it must include the following:

1. Identify the areas within your company’s operation, where this information is used: a. Credit files: applications, credit reports, etc. b. Cash application: check copies, credit card numbers. c. Counter sales: Credit cards, receipt of credit applications & other documents d. Employment files, including your HR Dept.

2. Identify the potential for the theft of the information: a. What information is maintained? b. How is it obtained? c. Where are the files kept? Physical file folders & cabinets, digital files or both. d. Who has access to it? 3. How can security, or lack thereof, be breached? a. Are physical files kept in a secure area or room? b. Do employees lock up work-in-progress at the end of the day? c. Can a passer-by gain access? d. Are digital files password protected? e. Do computers have a time-out feature to prevent access when left unattended? 4. How can you identify a breach? a. Are there digital alarms when data is accessed without authority? b. Do alarms sound when a locked file room is accessed? c. Does someone lock up the department or building?

5. Must other departments within the company have access to such information? a. Do sales branches have protocols for protecting the information? b. Does the Marketing Dept. receive credit card information to process Yellow Page listings? c. Does HR have security protocols? Once all of the potential breaches are identified, you need to include prevention procedures and requirements for storage and maintenance of the data. Some examples: 1. If a sales branch receives a credit application, either from a sales associate or directly from a customer, they should immediately scan/ email or fax it directly to a specified Fax number or email address within the Credit Department. Once received, alert the branch to destroy the document or lock it in a safe or similarly secured area. Destruction is recommended, unless it can be returned immediately to the applicant. Furthermore, “destruction” does not include just throwing it away. 2. It is recommended that physical credit files be kept in a locked and secure room, preferably with a combination or other digital lock. This includes any actual check copies or other documents containing the personal information. The nightly cleaning crew should not have access. 3. Any employee handling this kind of data should have a lockable file cabinet or file draw to secure their work-in-progress overnight or even when they go to lunch.

4. Credit card information is particularly sensitive within the law and rules: a. Limit card information on receipts and so on to the last four digits only. b. Do not allow access to a list of cards to choose for payment. c. Do not display card information for public access or non-essential employee access. d. Get written permission to use a card that is not physically being presented by the cardholder. e. Branch procedures must be the same as for credit apps and similar documents. Any written approvals should be destroyed after receipt by the Credit department or other responsible department. f. Never write down card information and keep it anywhere, including in a locked safe. When the program is fully documented, present it to senior Management and any other functional area. There is a potential for an FTC audit, especially if breaches are traced to your company. It is better to be prepared. As part of the process, identify the responsible compliance persons, usually the department heads for Credit, HR and IT. Lastly, this is not restricted to public companies, as is mandated by the Sarbanes-Oxley Act. Federal law mandates it for ANY company with access to or the maintenance and use of this personal information, to take steps to identify the potential for, and to mitigate the risk for, identity theft. It will not hurt to discuss the issue with your IT Department, even to the extent that simple access to a company’s website for special online services, such as checking prices and availability of product, could have the potential for a breach.

A Primary Source for

Order-to-Cash Best Practices www.federationofcredit.com

Copyright 2016 by the Federation of Credit and Financial Professionals.

All rights in this publication are reserved. No part of the publication may be reproduced in any manner without written permission. Printed in the United States of America Federation of Credit and Financial Professionals 51 Cragwood Road, Suite 200 South Plainfield, NJ 07080 www.federationofcredit.com