Identity Theft: Federal Regulation Impacts Companies Handling Consumer Data

Regulations under the Fair and Accurate Credit Transactions Act (FACTA) of 2008 were intended to make the way companies handle consumer account information (such as names, addresses and Social Security numbers) broader to include businesses from auto dealers and banks to mortgage brokers and telecommunications companies. Casino credit departments more than likely have to comply with FACTA.

The federal rules went into effect Nov. 1, 2008. Although the Federal Trade Commission (FTC) announced it would not enforce the Red Flag Rules until May 1, the announcement didn’t affect companies subject to enforcement agencies other than the FTC. Those agencies include the Federal Deposit Insurance Corporation, the Federal Reserve Board and the Office of the Controller of the Currency, the Office of Thrift Supervision, and the National Credit Union Administration.

“As identify theft continues to run rampant, financial institutions and creditors are now required to design programs and policies to detect, prevent and mitigate identity theft,” said Tanya L. Forsheit, partner with Proskauer Rose LLP. “About 10 million people are victimized each year, but if businesses are alert to suspicious activity, they can do a lot to prevent identity theft and limit the damage it can cause if it does happen.”

Some examples of “red flag” warning signs include:

• A consumer report inconsistent with a customer’s history, such as a sudden increase of activity or use in a foreign country.
• A photograph, physical description or other identifying information that is not consistent with the appearance of an applicant or customer.
• Inconsistent personal information, such as an address presented with an application that does not match any address in the consumer report.
• Following a notice of change of address, the financial institution receives a request for a new, additional or replacement card or to the addition of authorized users on the account.
• Mail sent to the customer is returned repeatedly as undeliverable although transactions continue.

“The FACTA Red Flags Rule applies to creditors and financial institutions. However, as a matter of best practice, every company that handles consumer data should prepare and implement an internal security policy and be alert to similar red flags,” said Forsheit.

Is your organization prepared to comply with the Red Flag Rules by providing identity theft services to all your customers? If your customers experience identity theft, do you have the tools in place to help them recover? If your organization experiences a data breach, do you have the right resources to protect your customers?

According to a business alert issued by the Federal Trade Commission in June 2008, the Red Flag Rules apply to a very broad list of businesses including financial institutions and creditors with covered accounts. A creditor is defined to include lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies and telecommunications companies. However, this is not an all-inclusive list.

The regulations apply to all businesses that have covered accounts, which include any type of account where there is a foreseeable risk of identity theft. Examples are credit cards, monthly-billed accounts such as utility or cell phone bills, Social Security numbers, drivers license numbers and medical insurance accounts. This significantly expands the definition to include all companies, regardless of size, that maintain or otherwise possess consumer information for a business purpose. Because of the broad definitions in these regulations, few businesses will be able to escape these requirements.

There are three regulations that correspond with FACTA. One requires financial institutions or creditors to develop and implement an identity theft prevention program in connection with both new and existing accounts. The program must include reasonable policies and procedures for detecting, preventing and mitigating identity theft. Another requires users of consumer reports to respond to notices of address discrepancies they receive. A third places special requirements on issuers of debit or credit cards to assess the validity of a change of address if they receive notification of a change of address for a consumer’s debit or credit card account and, within a short period of time afterward they receive a request for an additional or replacement card for the same account.

I am not an attorney, but after reading between the lines, I think casino credit departments are subject to this new federal law. If you havent done so yet, get in touch with your legal counsel for an opinion on what this law means for you and your businesses to make sure you’re compliant.

Leave a Comment

Your email address will not be published. Required fields are marked *