The deadline for your compliance with the Red Flags Rules is coming up fast with enforcement slated for November 1st, 2009.

It is estimated that over 11 million businesses must have a written Identity Theft Prevention Program in place to help stop the effect of Identity Theft.  There are a few common misconceptions out there and I hope to address some of this here.

The first misconception is that this is for businesses who have an Identity Theft problem.  This is not correct.  When you read through the requirements of the program, this regulation is about detecting the warning signs that you are dealing with an Identity Thief as a client or customer and how to deal with this situation.

Why is this important to you as a business?  First off, the fines from the FTC begin at $2500 per instance for non compliance.  Second, recent legislation at the Federal level and at many state levels make is possible for civil litigation.  The victims of Identity theft are now able to sue businesses who sell or provide services to the fraudsters who claim to be the victim for negligence in that the business has a duty to insure that their clients and customers are who they say they are. 

While there seems to be a huge stink over the red flags rule and businesses not wanting to comply because it is too difficult, I cannot understand why a business would not want to comply just for a sanity check.  According to the folks at ID Sure – the average cost to the business who assists an ID Fraudster without Identity Verification is over $90,000.   Also according to IDSure, Red Flags Rule Compliance take just a few minutes to complete per customer.

With the deadline looming, we will be posting quite a bit of info in the coming weeks.  In the meantime, if you have questions about the Red Flags Rule and how to comply, just check out http://www.idsure.org

First, In order to address the growing problem of Identity Theft and the effects it has on businesses and individuals, the FTC has established legislation for businesses to comply with the FTC Red Flags Rule.  The Red Flags Rule says that Financial Institutions and “Creditors” with “covered accounts” must have an Identity Theft Prevention Program in place.

OK, now that we understand what businesses need and who needs to comply lets take turkey.  What, you don’t understand part 1?  Seriously, that is ok, because no one seems to get it.

The Red Flags Rule is not really about Identity Theft.  It is about what happens after the identity has already been stolen.  The FTC understands it ID Theft will continue to grow and happen, so they created the Red Flags Rule Program in an effort to remove the places where Identity Thieves can get products and services using that stolen id.  The first mistake the FTC made was calling it an Identity Theft Prevention Program.  It should have been called an Identity Fraud Prevention Program.

Bottom line – The Red Flags Rule is in place so that your business can detect the signs that an Identity Thief is using YOU to damage YOU and the Victim.

Why is this important to you as a business?  Simply put – assisting an Identity Thief, knowingly OR unknowingly has an average cost to a business of over $90,000 in 2008 PER INSTANCE.  Recent laws now allow the victim to sue you and your business for damages resulting from your business providing products and or services to an Identity Thief.  While you have nothing to do with the victim, legally do you because you are providing service to their identity and you “as part of its duty of diligence it (the business should have confirmed her identity”

Next let’s look at who must comply.  The second critical error the FTC made was, in an attempt to decide which businesses must comply, defined the Red Flags Rule as applying to “creditors.”  In reality, credit has nothing to do with it.  The FTC has determined that numerous business segments fall under this definition including law firms, accountants, utility companies, telecom, professional services, etc.

Bottom Line – If your business provides services or products to individuals and invoice them and you have ANY repeat customers, then you are a “Creditor”  If you deal with individuals outside of their home, for example, in your office or remotely via the phone or internet, then you have “covered accounts”

I am still amazed at the push back I hear about from businesses who do not want to comply.  I have a program in place for my small computer business.  If I push the definitions, I can probably argue that I am not a creditor with covered accounts as the majority of my customers are businesses and I know my customers.  In reality, in todays world, you do not know your customer.

According to the statistics, if you have 500 customers, you are most likely providing services or products to at least on fraudster and if the victim finds out, they can sue you to recover the damages.  The question I put back to the business, can you afford that expense?  I have been in court over stupid lawsuits too many times in my life because attorneys can sue you for anything now.  The website – legalmatch – now has links to finding attorneys who sue businesses who provide services to ID theives and info for the victims on how to maximize their claims.   For a whopping $70 bucks a month, I want to sleep well knowing that I did my part to fight Id theft.  I would rather that thief go to the business next door who does not check an ID and let the victim sue him

The bottom line – if you are a business and you invoice customers and you deal with individuals, you need a Red Flags Rule Identity Theft Prevention Program, even though it really has nothing to do with Identity Theft

For more information about the Red Flags Rule and Identity Theft Statistics or to see pricing and sign up for an Identity Theft Prevention Program for the Red Flags Rule Policy

I am continually amazed at crimes relating to Id Fraud and the stance of various businesses who say it never affects them and they should be excluded from following the FTC Red Flags Rules.  Currently the AICPA and the ABA, the 2 major associations who represent accountants and attorneys are fighting the FTC and demanding exclusion from the program.  They feel it is a major burden and that attorneys and accountants never see identity theft.

The issue is simply that the head of both organizations do not get it.  The FTC Red Flags Rule is an “Identity Theft Prevention Program”  When you read the program is really about ID Fraud and stopping the places where an ID Thief can get services.  One point to note, both the attorneys and accountants are onboard with the program as it relates to the medical profession as it is a place for them to sell services.  What they don’t say in their letters to the FTC is that the risk of ID Fraud in their profession is higher than that of the medical field.  Currently, the medical field is reporting approximately 250,000 cases of ID Fraud a year – that is approximately 1 in 930 Adult Americans.

Yet when you look that the results from synovate and ITRC, approximately 1 in 332 Adult Americans are affected by ID Fraud and attorney services and 1 in 438 had a tax return filed with forged and fraudulent documents.  When the data reveals that victims are more than twice as likely to get burned by an ID Fraudster in legal or accounting services, it amazes me that these 2 professions continue to argue about the program.

The above example is yet another very serious case where legal services and an attorney helped damage an innocent persons life, most likely that they will never recover from.  Does it not make sense, that businesses take a few moments to make sure that their clients are who they say they are??

I realize that everyone feels that Id theft never happens to them.  But what about when it does.  I am very glad that John Smith is now eligible to go after the parties to recover damages for his loss.  With the average legal wage being $472 an hour, I think that John Smith is entitled to that amount for each hour he has had to deal with this ordeal and every hour it continues.  The thing that is the most sad for me, is that all of this could have been easily avoided and going forward it is even easier to avoid.

Well, H. Thomas Wells, Jr, here is your case of ID Fraud being assisted by legal counsel.

It is not hard. Most of the it common sense – in fact, if you follow the guidelines, you should simply check behind the ID. If you do that – the business would avoid the majority of the ID fraud that is on the news each and every day. I seen quite a few cases this week on twitter. In reading the news, almost every one of the cases involved someone presenting an ID that is not them. Most of the time the person is fictitious or another age. This is a good thing to do regardless.

I hear businesses complaining that it is just too complicated to create a program. That is a joke. I have personally seen businesses go online and sign up with IDSure.org In a record of about 10 minutes to a high of 20 minutes, they are signed and have a Red Flags Policy in place.

Cool – so what is the cost?? Well, that is the simple part – their basic plan is a whopping $69.95 a month. Most businesses, I talk with are between $70 and $200 a month for a small to medium size business. If you use the Red Flags Blog coupon code – ERF2307 when you sign up – you save 10% forever. If you sign up by August 1st, they will take you through the wizard to get your policy created for free and you get double the first months ID Verifications to get caught up on those existing customers.

To Summarize:
Free Red Flags Rule Program Policy
Double the ID Verifications for the 1st month to help you get caught up
Best Service in the business
Administration panel to control access in your firm. – This is good if you don’t want the bosses son checking out last nights date.

Any questions – feel free to ask me.

I have been an Alltel customer for a few years. Due to identity fraud perpetrated by my previous attorney, I had to setup a very complicated passcode system so that no one would have access to change or modify my account.

Alltel sold all of my personal information and my account to Verizon wireless. I get a ton of junk mail so when I got stuff from Verizon wireless and do not have an account, I shred it. I probably should have read it.

About 2 weeks ago, I got a call on my home number, not my cell number, with callerid blocked from someone claiming to be verizon and my account needed to be paid. I asked for what account and they could not tell me without my SSN. Since I don’t typically give that out to anyone without info and I don’t have a verizon acct, I chalked it up to a very good and aggressive phisherman!

Today when my phone was shutoff, I call customer service and discovered that my account is now with Verizon – I really do need to get out more In order for me to check my account, I need to tell them my full SSN – that was not a pleasant conversation.

2 VERY frightening and sickening events then happened.

1. I was able to pay my bill, without any authentication, using the bank info on file. When asked to confirm the last 4 digits of the bank account on file, I made it up. Just for fun to see what would happen, figuring I would be driving into town to get this straighten out anyway. Well, it flew right by Mike in Financial Services at Verizon and he promptly gave me a confirmation code for my payment. I asked him which account and he gave me the info on the correct account – not the info for the made up account!

2. When I asked for a supervisor, I got the runaround and was told I can do everything online. I went to verizonwireless.com and decided to create an account. I put in the phone number and my email. The next step asked me to create a password. For kicks and because I was incredibly nervous at that point, I used a password I have NEVER used before – just to see what happened. It created my account and all of my information is there. All my payment history with Alltel, all of my calls and my wife’s calls. EVERYTHING. No challenging information needed. The only thing you need is an alltel phone number that is now with Verizon.

Here is why the Red Flags Rule is so important. I have spent over 3 hours today on the phone with Verizon to show them the problems with their system and to work on getting it fixed. They simply do not care. I spoke with managers, I spoke with supervisors. The only person who would give their first and last name was Barbara Flemister who insisted that it was not her job but I should probably call someone in eServices but since it was my data and I accessed it, it is not really fraud and until a criminal act is committed there is nothing they need to worrry about. How sick is this????

I am working diligently to get my account closed with them and my personal data deleted as they refuse to address this as an issue.

If you were an Alltel customer and had a passcode, please make sure you get with Verizon and try to get your data protected. If you have not created your online account, get with it immediately or hope they change the settings before someone orders phones and services and jams you with a 2 year contract.

Happy to hear what others have to say.

Failure to comply may increase firms’ exposure to negligence claims….

In a press release issued by Beazley Insurance – http://tinyurl.com/ns6v67 –
They talk about how the Red Flags Rule could have an effect on claims to firms.

This is an interesting twist on Red Flags Rule Compliance in that it begins to bring to light other issues.  While most companies and professional firms are beginning to finally understand that the Red Flags Rule Program is about fighting fraud that results FROM an incident of ID Theft, the Lawyers are most concerned these days with threats of suing the FTC for making them comply.   The issue should be that businesses should be responsible for identifying or noticing the red flags that show up with certain clients or customers that could be an indicator of an identity theft incident.  If you see red flags, you should take measures to address them.  Pretty simple.  Now imagine the issues that can pop up if you do not?

The FTC realizes that it is impossible to stop Identity Theft – but this program will shutdown the outlets the thieves have to practice their trade.  If it is harder to profit from Identity theft, then it is likely that ID Theft will be reduced.

Imagine that as an accountant that a client comes in with tax info, W2, etc and has you file their tax return.  You take a quick look at their drivers license and then you file their return and get them a $2000 refund.  Later the real person comes in with similar paperwork and a letter about an audit from the IRS about the tax return that you prepared.  Did you follow the Red Flags Rule Program?  Did you perform due diligence?  Who is going to pay for fixing the damage with the victim and the IRS.  What if the victim files civil charges for the damages?  In a recent event – http://tinyurl.com/kvlp7t
citizens in Michigan are now able to compensation for time and effort to clean up the effects of Identity Theft.  What is the cost of that to your business or firm?

The issue I want to summarize here is, with the sue happy attorneys our country has bread, will your insurance company back you or drop you if you get sued for damages resulting in an ID Fraud incident.  Beazley and the other insurance companies are not saying their customers MUST comply, but the fact that the liability insurance companies are sending letters and notifications is an indicator that it could affect your policy if you don’t comply.

Compliance with the Red Flags Rule Program is easy.  http://IDSure.org offers a free template wizard to create your program with the signup of their ID Verification Service.  The program take about 10-15 minutes to setup and the Services run from $69 a month and up depending on how many customers you need to check.  In support of my  Easy Red Flags Blog, the folks at IDSure are giving my followers a discount of 10% on their services for as long as you use them and if you signup by the August 1st Deadline, you get double the ID Checks the first month to help clean up your existing files.  Just use coupon code ERF2307 and the discount will apply.  Look at it this way – the ABA says it takes 120 hours to create a Red Flags Rule Program – my readers are doing it in about 15 minutes.  Looks like I have a topic for my next blog

Yesterday, I spoke with a tax and estate planning attorney who had not heard of the program.  In speaking with ID Sure, an ID Verification and Authentication services company, it was clear that the organizations and associations that these professionals  belong to are doing nothing to address compliance or education.  ID Sure will provide free seminars and webinars for groups of businesses or professionals who are affected by the Red Flags Rule and are happy to provide free education regarding ways to become compliant and to fight ID Fraud.

Shawn Walsh, a spokesperson for ID Sure tells me that they have been contacting the associations to offer up no cost education but are often told by the associations, that they do not know what the Red Flags Rule is or why it would apply to their members.  They have recently added a simple presentation on their website so that the businesses that are affected can quickly understand the impact non compliance could have on their business.  You can view that presentation here.

The whole concept is pretty simple – ID Fraud is on the rise.  ID thieves are using services of various business to help pull off their criminal activity.  Some examples – 5.3% of ID thieves filed a fraudulent tax return and 7% use legal services from an attorney.  In an effort to shut this down and stop the propagation, the FTC is mandating that certain businesses have an Identity Theft Prevention Program in place.  ID Sure offers a free Red Flags Rules Program for low risk businesses if you sign up for any subscription service for the ID Verification service.  According to their website, the base plan is $100 a month and you can cancel at any time.

I say it is time to get off the couch and sign up with ID Sure, or another ID verification system and become Red Flags Rule compliant!  It is not enough to just take a drivers license as a form of ID.  Look at the post earlier this week where Corcas used a Fake Drivers License to buy a house!  Good thing for the lawyers that set up his company and the title company who handled the closing, that the Red Flags Rules was not being enforced yet.  When that happens next month, my guess is the law firm and the title company will be faced with public humilation, shame and some nasty fines.

According to the DA, Corcas  and his sister created a company, Profit & Profit which they operated out of his residence.  A fake drivers license in the name of the victim was used at the closing to establish identity and a mortgage issued to the buyer was obtained using a fraudulent power of attorney, along with false income, employment and asset records.  The money from the sale of victims house was then deposited into the Profit and Profit’s bank account.  The fake buyer and fake seller did not attend the closing.

What is amazing to me is that this flew by the mortgage company and the closing company!  It appears that there were several Red Flags on this transaction and yet it appears no one stopped to think about them.

We hear about cases of ID Fraud every day.   It is clear that the ID Thieves are getting bolder and bolder.

Statistics show that approximately 31% of ID thieves have a driver’s license that passes inspection.  5.3% of ID Fraud involves filing false tax returns to obtain a fraudulent refund. 7% of ID fraud uses some sort of attorney’s services.

These are frightening numbers.  In order to fight these thieves, it is clear to me that you need to get into the data behind the drivers license or ID and verify information that the thief will not find in a wallet or will be able to remember easily.

Simply put, I believe that the Red Flags Rule Policy may have very well stopped this case of ID Fraud from occurring.  A simple few moments of the closing company or mortgage company to verify the identity would have been all it would take.

Imagine what the true cost of the damage is in this situation.  The victim lost his home, foreclosure is imminent as the fraudulent mortgage remains unpaid.  Sure, the crook has to pay restitution, but that is simply the proceeds from the sale of the house he deposited in his company’s bank account.  What is the real cost of this ID Fraud?   The cost to the taxpayer for all of the investigation, the mortgage companies losses for not verifying the mortgage information, the closing title for their reputation and not to mention the victim, who at 68, looses his home!

Can we afford not to comply with the red flags rule?  How long do you and I have to keep paying for recklessness behavior because businesses don’t want to spend a few extra minutes to verify the ID?

Do you disagree?  Please feel free to comment and tell me why.

The four basic elements to the program are:

1) Identify Relevant Red Flags

• Identify the red flags of identity theft you’re likely to come across in your business

2) Detect Red Flags

• Set up procedures to detect those red flags in your day-to-day operations

3) Prevent and Mitigate Identity Theft

• If you spot the red flags you’ve identified, respond appropriately to prevent and mitigate the harm done

4) Update your Program

• The risks of identity theft can change rapidly, so it’s important to keep your Program current and educate your staff

There is quite a bit already on the web about Red Flags so I will not go into much detail here and for inquiring minds, there is a brief article on WikiPedia about Red Flags.

Interesting Definitions

The FTC originally defined the Red Flags Rule as being applicable to Financial Institutions and Creditors.  To the average joe, this would be banks and lenders such as credit card companies, mortgage brokers, etc.  The reality is that the FTC has defined Creditor as: The definition of “creditor” is broad and includes businesses or organizations that regularly defer payment for goods or services or provide goods or services and bill customers later.

This is interesting twist as per the definition, law firms, accounting firms, consulting agencies, telecommunications and utility businesses, all need to comply with the Red Flags Rule.

I agree with the FTC in that this is a good thing.  If you are in a low risk business, the program is simple and easy to implement.  The FTC has a simple set of guidelines you can use to create your policy, or you can go with one of the many consulting firms out there who will create a program for you.  According to the Wikipedia article on Red Flags – a program can cost upwards of $1000.  One thing I like about IDSure.org is when you sign up for one of their Identity Verification programs, you get the Red Flags Policy for free.  You just need to step through the wizard and check the items that are revelant to your business and then print it out and follow it.  Pretty Easy to be in compliance.  While there are many people complaining about having to comply, I will be doing my business with companies who comply.  Afterall, if the business does not want to help stop Identity Theft, what else is going on?

One of the things we hear the most from businesses is “we always know who we are dealing with, we check their ID and make a photocopy of the Drivers License for our records!” .

The attitude towards accepting a drivers license as a valid form of identity authentication continues to baffle me even though I should know better.  In doing some research recently, I found some stats put out by the Gartner Group regarding Identity Theft and trends.  The results are staggering but not surprising.  13% of identity thieves are able to walk into a DMV and get a “valid” drivers license that ties back to the victim.  An additional 18% of the thieves have a drivers license in their possession that passes tight scrutiny.

With over 10 Million REPORTED cases of identity theft in 2008, that there is over 3 million instances where the perpetrator is able to physically stand in front of you and provide you with a “valid” ID.  And this is just for the reported cases, it is known that the actual number is much higher.  The Channel 11 in Dallas, the CBS station, did an investigation last fall about how hard it is to get a counterfeit ID – in this article – it will amaze you just how easy it is to for a layman to obtain one, can you imagine how it is for a professional thief, and statistics tell us that the majority of the identity fraud is perpetrated by professionals, this is their job.

The FTC’s Red Flags Rule is in place to protect the identity theft victim, it simply states that you have a policy in place to do some due diligence to ensure that your clients and customers are who they say they are.   With almost a third of identity thieves having a fraudulent ID, do you think it is acceptable to just copy a drivers license?  I don’t.  And I think it is fair to say that the magnetic stripe readers that will print the info from a drivers license is a waste of time as well.  The majority of the counterfeit IDs will have the stripe programmed with the data that is on the card anyway.

The only way to be certain is to run an identity verification on the customer, offer up a few simple challenge questions that only they would know.  While I am hearing grumbling from businesses out there about Red Flags, I am thinking this is a good thing.  I have had several friends who have had thier identity stolen and if businesses had implemented a decent Red Flags Policy, the damage would have been severely minimized.  One of my friends was even charged with being a deadbeat dad and had his drivers license revoked for nonpayment of child support!   While in this case it was the government who messed up, can you imagine the liability with all the sue happy attorneys if something like this happened with your business or services helping to committ the crime when you could have stopped it?

Some people are saying it is far too complicated to check the identity of the customers.  Again, I must disagree.  I recently tested the verification at IDSure.org on myself.  It is simple to use and I had to really think to be sure to answer correctly.  I was impressed and now I use the ID Verification Service from IDSure.org and I am now a reseller.  With plans from $100 a month, you can cancel at any time, you can change plans at any time, AND -if you sign up before August 1st, 2009, they provide you with a starter kit, that is normally $500 for free that will have you up an running with a Red Flags Compliance Policy in about 15 minutes.

For $100, are you willing to risk non compliance with the FTCs Red Flags Rule Program and just accept a drivers license as your due diligence? Not me, no way.