In-Depth

Latest Compliance Regulation Tackles Identity Theft for Enterprises Large and Small

Firms that extend credit to consumers and small businesses must comply by November 1

• By James E. Powell
• 05/20/2008

If your enterprise interacts with the public, there's a good chance it will be affected by the FACT Act Identity Theft Red Flags Rule later this year. There's also a good chance your enterprise isn't ready, assuming it even knows about the Act.

The FACT Act is designed to involve businesses in preventing consumer identity theft, imposing a host of new requirements, from planning to new procedures to auditability. According to Compliance Coach Inc, a firm that provides automated regulatory compliance software, "The impact is broad and the rule affects every single bank, credit union, mortgage lender, auto dealer, credit card lender, payday lender, landlord, utility company, telephone company, and any consumer or small business lender in the country."

Although the regulation was passed in 2007, compliance has been voluntary so far to give companies time to adjust. On November 1, compliance will be mandatory.

Sai Huda, chairman and CEO of Compliance Coach explained the problem to Enterprise Strategies this way: The company's CompliancePal software already includes logic based on the previously published 26 identity-theft red flags found by the U.S. government. "That's the minimum a company must address. The challenge is that the regulation also requires companies to take into account any red flags from their own historical experience as well as new identity theft schemes and trends in the industry. Many companies may simply not be aware of what these are."

Huda says those schemes abound and include frequent changes to names, for example, or the timing of actions designed to default a lender. CompliancePal includes an additional 23 red flags it says its research has found after examining identity theft cases and schemes that have affected financial institutions, creditors, and consumers. Huda said CompliancePal will continue to be updated with new red flags.

The Act requires any firm, regardless of size, that extends credit to a consumer to perform a risk assessment, identify all accounts that could be affected, identify the relevant red flags that may signal identity theft is occurring, implement "appropriate" detection and response procedures, develop a written "Identity Theft Prevention Program" and incorporate procedures into current operations, obtain approval from the board of directors for the program, then train staff.

That's not all: to remain in compliance, you must "periodically" update your program and, at least once a year, review your compliance status.

That's no small requirement for any enterprise, Huda says, and especially for many small businesses, the Act will prove extremely burdensome. To simplify compliance with the Act, CompliancePal uses a wizard approach, asking users about problems in 54 possible troublespots, then creates the necessary documentation, action plans, written identity theft prevention program for board approval, staff training, and the periodic update report.

To encourage adoption of its web-based software (and add an incentive for enterprises to get the process started sooner rather than in panic mode later), the firm is offering "Early Bird Pricing" -- $595 for midsize enterprises to $995 for large corporations with $1 billion in assets (if a financial institution) or $6.5 million in revenue (for all other businesses). The price will rise when the deadline draws nearer.

Huda says the company will keep updating the software (to help companies meet the regulation's requirements to stay up to date with identity theft trends) as part of its support.