The deadline countdown is on: In less than six months, retailers must be in compliance with the Red Flag regulations on identity theft and change-of-address discrepancies issued by the Federal Trade Commission (FTC) and the federal financial institutional regulatory agencies.
The final rules for the development and implementation of written Red Flag Identity Theft programs went into effect on Jan. 1 and the final date for compliance is Nov. 1. The new rules reinforce sections 114 and 315 of the Fair and Accurate Credit Transaction (FACT) Act of 2003.
Under the Red Flag Identity Theft Protection Program, any business that has consumer accounts that could be susceptible to identity theft is required to institute “reasonable policies and procedures for detecting, preventing and mitigating identity theft.” This requirement will be enforced for new as well as for existing accounts.
In addition to identifying patterns that could be “red flag” warnings of potential identity theft, issuers of consumer accounts must be able to confirm the credibility of requests for change of address.
The biggest challenge for compliance, suggested Tim Mohr, director of investigative practice at New York City-based BDO Consulting, will be to assign responsibility for developing policies and implementing processes throughout all channels of the organization. “You have to identify a person who has expertise in a number of areas, such as physical security, loss prevention and payment cards, and who can put policies into place throughout the organization, from Web-based orders to stores.”
In related news, San Diego-based Compliance Coach announced a Web-based software, CompliancePal, that provides a five-step approach to achieve compliance with the FACT Act Identity Theft Red Flags Rule.