Who Must Comply with FACTA's Red-Flags Identity Theft Rules?

April 22, 2009

Clients Question Compliance Requirements

As previous reported in both SESCO's email blast service and newsletter, clients are questioning whether or not they are "covered entities" for the purposes of complying with the FTC's Red-Flags Identity Theft Rules.

In short, "any person who regularly extends, renews, or continues credit is a "creditor'." Subsequently, any organization that defers payments, even if there are no finance charges or installments, where consumers pay after receiving the goods or services such as physicians, hospitals, repairs or even a local store where a customer runs up a tab, are covered entities.

For all practical purposes, the FTC's interpretation of a "creditor" and subsequently a "covered entity" will extend to all businesses throughout the economy.

SESCO suggests:

1. Contact SESCO to conduct an audit/risk assessment to determine if you have "covered accounts" and as such are a covered entity.

2. If you are a "covered entity," you must do the following:

Create a written, company-specific identity theft prevention program.

Implement change of address safeguards.

Verify identity upon notice of address discrepancy from a consumer reporting agency.

Train all employees who handle or process confidential information relating to financing and customer accounts.

Note: SESCO provides compliance manuals and training services to include customized policy developed to ensure compliance.

SESCO retainer clients can contact our Director of Client Services, Phil Richards, to discuss specifics to determine if you are a covered entity and as such must comply with the rules. Onsite audits/risk assessments are also available. Those who are not SESCO retainer clients should consider SESCO's monthly Service Agreement providing professional human resource and employee relations consulting support.