Unless you’ve been living under a rock, you all know that Southern California has had its share of devastating wildfires over the last several months. If you live in Southern California, you’ve experienced the hot Santa Ana winds and the “red flag warnings” that accompany them — that is, warnings of the potential for such a catastrophe.
Well, the federal government has announced its own “red flag warning” with the recent publication of the Red Flag Rules and Guidelines. These rules are mandated by the Fair and Accurate Credit Transactions Act of 2003 (FACTA) as a means of combating identity theft. The rules became effective Jan. 1, 2008, and compliance is mandatory for auto dealers and others by Nov. 1, 2008. This may sound like there is time to get your house in order, but don’t dally — there’s a lot to do.
The rules require auto dealers who engage in financing activities to establish an Identity Theft Prevention Program that is designed to detect, prevent and mitigate identity theft. For most dealers, this means creating a written program with respect to new credit accounts. For those of you in the Buy-Here-Pay-Here community, your program will need to address your existing accounts as well. All consumer accounts are covered by the Rule, as well as business accounts to the extent you determine that there is a reasonably foreseeable risk to the business customer or yourself from identity theft.
Your program must be composed of four distinct elements containing reasonable policies and procedures to:
1. Identify relevant “red flags” (patterns, practices or activity that indicate the possibility of identity theft) relevant to the credit origination process
2. Detecting and evaluating these “red flags” in connection with individual customer transactions
3. Responding to “red flags” you detect in an appropriate way to prevent identity theft
4. Ensuring your program is updated periodically to reflect changes in risks to customers from your experiences and new identity theft activity.
The term “Red Flag” refers to a pattern, practice or specific activity that indicates the possible existence of identity theft. There are some examples in the rules as to what these might be, but you will need to determine for yourselves what these are in the context of your business.
The rules do contain a list of potential red flags you may consider for incorporation into your program. The list is provided for guidance to help you identify relevant red flags. While you will not need to justify to the Federal Trade Commission your failure to include a specific red flag from the list in your program, you may find yourself having to account for the overall effectiveness of your program. So, if a particular red flag makes sense in the context of your business to include in your program and you don’t, you may still find yourself in hot water if you experience an identity theft incident.
The rules also provide final guidance regarding actions a user of consumer reports must take when a consumer reporting agency sends the user a notice of address discrepancy. When you receive such a notice you must use policies and procedures you have designed to enable you to form a reasonable belief that the consumer report relates to the actual person standing in the dealership or otherwise applying for credit. To the extent you furnish information to consumer reporting agencies, you must also furnish a corrected address for the consumer.
This new Rule is involved and complicated, and as always, such things create opportunities for commerce. You’ll soon be beset upon by vendors with snappy technology that will take care of all your obligations and allow you to go on your merry way. But remember that if something sounds too good to be true, it usually is.
While there are certainly some technological solutions that will help you comply with your obligations, my view is that there will be some amount of training and effort you will have to undertake in order to truly comply.
So, do yourself a favor — carefully vet new technologies with your compliance counsel. While certain parts of the Rule lend themselves to technological solutions, other parts may require some good old-fashioned subjective thinking. Be sure you know which parts are which, and you’ll keep the regulatory wildfires to a minimum.
Michael Benoit is a partner in the Washington, D.C., office of Hudson Cook LLP. He is a frequent speaker and writer on a variety of consumer credit topics. He can be reached at [email protected]. Nothing in this article is intended to be legal advice and should not be taken as such. All legal questions should be addressed to competent counsel.