Agencies issue frequently asked questions on ID theft rules

Agencies issue frequently asked questions on ID theft rules

Editors note: On July 29, 2009, the Federal Trade Commission delayed the deadline for compliance with its Red Flags Rules until Nov. 1, 2009. Click here to read the FTC's press release announcing the delay.  

As a small business owner, you may feel that it's unfair for the government to hold your merchant account responsible for identity theft. After all, credit cards are a part of life in modern society; you have no choice but to operate a merchant account. How can you be expected to prevent identity theft when as many as 9 million Americans have their identities stolen each year?

Federal administrators say that it's in the best interest of your small business, and your merchant account, to help identify patterns of identity theft. No, you aren't expected to totally thwart ID theft. The Fair and Accurate Credit Transactions Act of 2003, which is still being implemented, simply requires that you put in place an identity theft prevention program designed to detect warning signs, or "red flags."

Red flag rules for merchant account transactions, mostly involving credit cards, were made effective at the start of 2008. On June 11, 2009, a team of federal agencies issued a Q & A report, "Identity Theft Red Flags and Address Discrepancies." This report will help you determine required steps for compliance.

In essence, you must implement "reasonable policies and procedures" to spot credit account red flags, and then take "appropriate actions." Employees who process merchant account transactions must receive ID theft training. The law gives you flexibility to fit your identity theft prevention program to the size and nature of your enterprise.

Small business owners must do more than simply provide data security for their merchant accounts. Red flags go a step beyond data security, with the intent of preventing credit card fraud on the front end.

The government describes merchant account red flags as:

• Alerts, notifications and warnings from a credit reporting company. These may include a fraud or active duty alert, a credit freeze, a closed credit card account, or a notice of address discrepancy.
• Suspicious documents. Paperwork may show an identification that seems altered or forged, or a photo ID that doesn't look like the credit card holder.
• Suspicious personal identifying information. For example, you may discover a Social Security number listed on the government's "Death Master File12," or a number that hasn't even been issued. Or a customer applying for credit may omit information and then make an excuse.
• Suspicious account activity. An obvious example is sudden large charges, or sudden use of a card that's been inactive. More subtly, it could be massive purchases of items such as jewelry and electronics that easily can be converted to cash.

For new accounts, identity theft precautions can include obtaining a government ID card such as a driver's license or a passport.

Updated: July 29,2023