FACTA's red flags of identity theft

Later this year, new Federal Trade Commission (FTC) rules go into effect requiring businesses to recognize the "red flags" that tell them someone may be committing fraud.

Businesses that maintain personal financial information on customers -- from banks to auto dealers -- must have systems in place to spot red flags and intervene to stop a possible identity theft.

"If someone were to apply for credit and they put down their date of birth and then a Social Security number that does not correlate to the date of birth, that would be a red flag," said Paul Metrey, director of regulatory affairs for the National Auto Dealers Association (NADA), which hosts data security workshops for dealers.

Red flags The following are examples of red flags, according to the FTC: -- The majority of available credit on a card is used for cash advances or merchandise that is easily convertible to cash, such as jewelry; -- A noticeable change in electronic fund transfer patterns on a deposit account; -- Purchases in two distant cities on the same day; -- Identification documents provided to open an account appear to have been altered or forged; -- Customer can't answer challenge questions like identifying their mother's maiden name.

The Red Flag rules from the Federal Trade Commission (FTC), which take effect Nov. 1, 2008, are a follow-up to the Fair and Accurate Credit Transactions Act (FACTA) enacted in 2003. FACTA requires businesses to have systems in place to secure the personal financial information of customers and to securely dispose of that information when it's no longer needed.

Besides auto dealers, businesses subject to FACTA include debt collectors, mortgage brokers and even someone who obtains a credit report on a prospective nanny, according to the FTC.

"Whether someone hiring a nanny is aware [of FACTA], I don't think there are, obviously. But I think financial institutions are aware of it and they have to be," said Mary Monahan, senior analyst with Javelin Strategy & Research, which focuses on the financial services industry.

Keeping dealerships secure
Car dealers regularly work with finance companies, but there is no one data security plan for all of them, said NADA's Metrey. "The procedures you adopt should be appropriately tailored to the size and complexity of your operation."

For a small dealer, selling just a few cars per month, security could be as simple as advising the finance manager not to leave contracts on their desk when they leave the office.

For a large dealer group with multiple car make franchises, though, best practices include password-protected access to servers only for people whose job descriptions entitle them to access. A service department manager can access a customer's vehicle maintenance records, but not their finance records. Servers should be in a secure, climate-controlled room and not accessible via the Internet, NADA advises in a guide to dealers.

Don't reinvent the wheel
Privacy regulations have been imposed on debt collectors for years so new rules such as FACTA aren't all that new to them, said Leslie Bender, an attorney specializing in privacy laws who represents a debt collection industry group.

Debt collectors, who obtain personal financial records of debtors to collect money on behalf of client creditors, have been subject to the Fair Debt Collection Practices Act for about 30 years. They and vendors of computers, firewalls or document shredding services, are "light years ahead" of other industries on their security policies, said Bender.

"Debt collectors are attuned to protecting consumer data and don't just pitch it into the dumpster," she said.

But besides securing and properly disposing of records, financial institutions now also have to be further diligent under the Red Flag rules.

About the author:
Robert Mullins is a reporter covering the technology industry from Silicon Valley. He writes about servers, storage, security, open source software and other topics.