Businesses now required to monitor warning signs for identity theft

Business owners take heed. A November 1 update to FACTA (the Fair and Accurate Credit Transactions Act of 2003) requires businesses to implement a written policy that monitors the business for "Red Flag" warning signs for identity theft. The policy must also specify how the business will respond to the crime if discovered.

The Red Flag rules have been on the books for years, and lawyers, health care practices, and small business owners have been fighting the changes to the law. In fact, the new deadline is only the latest deadline for the rule that was first introduced in April 2008. The initial deadline was set for November 1st, 2008 and subsequently moved to April 1st, 2009 and then finally November 1st, 2009.
 
The Red Flag Rule covers "financial institutions" and "creditors." It is this second group that almost every business falls into. Any business that doesn't collect payment in full at time of service is considered a "creditor." This includes doctors, lawyers, accountants, designers, phone companies, or anyone else who offers payment terms.
 
"Most businesses understand that they need to protect information through security and paper shredding programs," says Steven Hastert, president of Shred Nations, an expert in identity protection issues. "But even though this new law has been posted for more than a year, few businesses are aware of the scope of these changes."
 
The American Bar Association (ABA) and American Medical Association (AMA) have been vocal critics about being covered by the rule. They have a last ditch effort with H.R 3763 to prevent being covered. The bill has passed the House on October 26th and is headed for the Senate. This proposed legislation exempts businesses under 20 employees from the changes.
 
The Red Flag Rule requires businesses to install four components:
 
1)   Reasonable policies and procedures must be in place to identify suspicious patterns or practices in day-to-day operations. This activity indicates possible identity theft.
 
2)   The program should also detect identified red flags for the business. For example, obvious fake identification.
 
3)   The program should have procedures to take when a red flag is identified.
 
4)   There must also be having a system in place to re-evaluate the program as threats change.
 
These new requirements are just part of a good information security program. Hastert reminds businesses to remember the basic steps they need to take. These include locking file cabinets, not giving information over the phone and shredding everything with personal information on it.
 

You may like these other stories...

Is it time to consider a value added tax?Forbes contributor Joseph Thorndike wrote yesterday that he believes the tax reform proposal by House Ways and Means Committee Chairman Dave Camp (R-MI) was dead on arrival. But he...
Read more from Larry Perry here and in the Today's World of Audits archive.The planning phase of an audit engagement of an entity using US GAAP or a special purpose framework will, with minor differences, include similar...
Internal audit: Know when to discloseIn an excerpt from his book, Lessons Learned on the Audit Trail, Institute of Internal Auditors President and CEO Richard F. Chambers said if you analyze enough audit reports, you can...

Upcoming CPE Webinars

Apr 17
In this exciting presentation Excel expert David H. Ringstrom, CPA shares tricks that you can use with pivot tables every day. Remember, either you work Excel, or it works you!
Apr 22
Is everyone at your organization meeting your client service expectations? Let client service expert, Kristen Rampe, CPA help you establish a reputation of top-tier service in every facet of your firm during this one hour webinar.
Apr 24
In this session Excel expert David Ringstrom, CPA introduces you to a powerful but underutilized macro feature in Excel.
Apr 25
This material focuses on the principles of accounting for non-profit organizations' revenues. It will include discussions of revenue recognition for cash and non-cash contributions as well as other revenues commonly received by non-profit organizations.