The Federal Trade Commission (FTC) has recently implemented a “Red Flags” rule on certain businesses in an effort to curb the growing problem of identity theft. Financial institutions of all sizes are required to comply with this rule, as well as other businesses that regularly pull credit reports and grant credit to their customers.
Essentially, you are required to comply if you have what the FTC refers to as “covered” accounts which involve financing; such as loans for autos, household items or store credit accounts. Compliance is required even if a third party administers the financing.
If your business falls under the scope of this rule, it is important to take deliberate steps to comply. Here is a general guide on the steps involved with “Red Flags” rule compliance:
- Review your business to identify potential red flags that could indicate identity theft. The first step in preventing identity theft in your business is to understand what red flags to look for in your particular organization. Examples include:
- Documents that appear to be altered or forged, signatures that do not match the ID, etc.
- Inconsistent personal information; addresses that do not match, etc.
- Suspicious account activity; unusually large purchases, requests for additional cards with different last name and/or address, etc.
- Alerts from credit reporting agencies, law enforcement and other sources.
- Implement a specific procedure to detect red flags in the context of your business model. You should have procedures in place to detect an identity theft threat before it ever happens. A thorough identification verification and authorization system is usually the first step in this process.
For example, when opening a new account, it should be standard procedure to have your customer produce a valid ID such as a driver’s license or passport. However, you may also want to cross-reference this information with what it on their credit report. In addition, there is a widespread problem with identity thieves using the Social Security numbers of dead individuals, so you might want to check the customer’s Social Security number with the government’s Master Death File.
- Implement identity theft prevention and mitigation procedures: After detecting potential red flags, you and your employees need to have a process in place to know what to do when this occurs. Depending on if this is a new or existing account and other circumstances, these procedures may include not opening the account at all, calling the customer for additional verification or in cases where there is high suspicion of fraud contacting law enforcement.
- Review your procedures regularly: Since business models change frequently and the tactics of identity thieves are becoming increasingly sophisticated, you should take steps to stay updated on the latest threats and update your procedures accordingly.
During each step of your implementation process, it is important to work closely with your small business accountant. This will help ensure that your procedures are in keeping with generally accepted accounting principles (GAAP) and you are staying in compliance with IRS rules and regulations.