After several delays, the Federal Trade Commission (FTC) will begin enforcement of the Red Flags Rule on December 31, 2010. The FTC issued regulations (the Red Flags Rule) on November 9, 2007 requiring financial institutions and creditors to develop and implement written identity theft prevention programs as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003.
In addition, the rule implements Section 315 of the FACT Act which applies to users of credit reports. This section specifically includes “landlords” or land-lease communities and requires users of consumer reports from credit bureaus to develop reasonable policies and procedures to determine the identity of an applicant when a “notice of address discrepancy” from a consumer reporting agency is received.
MHI has discussed issues related to manufactured home communities and retailers with FTC staff and believes that the following information reflects how communities and retailers are impacted by the Red Flags Rule. However, the policies developed by MHI members should be reflective of their specific business needs and practices, and should involve legal counsel.
Compliance with Section 315 of the FACT Act – Address Discrepancy
Communities using consumer credit reports must comply with Section 315 of the FACT Act. Section 315 requires users of consumer reports to develop reasonable policies and procedures that must be applied when they receive a notice of address discrepancy from a consumer reporting agency. There is no requirement that the policies and procedures on address discrepancies be in writing. However, a written policy could assist in ensuring policies are being followed by all employees.
After receiving notification from a consumer reporting agency of an address discrepancy, and upon reasonably confirming the accurate address for the consumer, the community must furnish this information to the consumer reporting agency if: 1) the relationship with the consumer is a new one; and 2) the community regularly furnishes information to the consumer reporting agency.
Compliance with Section 114 of the FACT Act – Red Flags Rule
The Red Flags Rule applies to entities that are financial institutions, creditors, or have transaction accounts or covered accounts under the Act. The rule requires financial institutions and creditors to establish written Red Flags Identity Theft Prevention Programs to detect, prevent and mitigate identity theft in connection with the opening of certain accounts or existing accounts.
Land-lease communities and retailers are considered to be financial institutions, creditors, or to have covered accounts if they offer financing or help consumers get financing from others by processing credit applications.
The following activities would not require a written Red Flags Identity Theft Program: 1) The use of consumer credit reports solely for the purpose of qualifying applicants for residency; 2) Simply referring customers to lenders, without handling credit applications.
If a community or retailer is involved in the lending process, and thereby required to have a written Red Flags Identity Theft Prevention Program, they may be able to utilize the FTC-developed “Do-It-Yourself Template for Businesses at Low Risk for Identity Theft.”
The FTC does not specifically identify industries or businesses that are at low risk. However, by answering the first four questions in Part A of the do-it-yourself template, the FTC provides individual businesses the flexibility to make this determination on their own.
One reason retailers and community owners may be at low risk for identity theft is because of the duplicative efforts of their lender partners to check the identity of the individuals the industry is assisting with financing. MHI discussed this issue with FTC staff who in turn recommended this be included in the “Here are the reasons we are at low risk for identity theft” section of the FTC do-it-yourself form. The form posted on the MHI Web site includes suggested wording. However, this form should be modified to fit individual business needs.
Following the recent enactment of legislation clarifying the Red Flags Rule, FTC Chairman Jon Liebowtiz stated:
The Rule doesn’t require any specific practice or procedures. It gives businesses the flexibility to tailor their written ID theft detection program to the nature of the business and the risks it faces. Businesses with a high risk for identity theft may need more robust procedures – like using other information sources to confirm the identity of new customers or incorporating fraud detection software. Groups with a low risk for identity theft may have a more streamlined program – for example, simply having a plan for how they’ll respond if they find out there has been an incident of identity theft involving their business.
More detailed information is available on the MHI Web site by clicking here. FTC resources and Red Flag program templates can also be found at this location.
For more information, MHI members can contact Ann Parman at (703) 558-0653 or ann@mfghome.org.