Continued from Compliance 101 – Stop Guessing Start Knowing Part One →
Safe Harbor Privacy Notices
Privacy, security, and safeguarding rules and regulations appear throughout a cash sale or credit transaction. If you collect personal information, including but not limited to full name, residential address, phone or cell number, email address, or social security number, this rule applies to you.
The following information explains your business responsibilities under the Fair Credit Reporting Act and other laws when using, reporting, and disposing of personally identifiable information (PII).
When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to ensure that companies live up to these promises. The FTC has brought legal actions against organizations that have violated consumers’ privacy rights or misled them by failing to maintain security for sensitive consumer information or caused a substantial consumer injury. In many of these cases, the FTC has charged the defendants with violating Section 5 of the FTC Act, which bars unfair and deceptive acts and practices in or affecting commerce. In addition to the FTC Act, the agency also enforces other federal laws relating to consumers’ privacy and security.
A Safe Harbor Privacy Notice provides safe harbor to the business and clearly states usage intentions and how a consumer’s personal information is used in conjunction with the sales process.
There are a few acceptable types of Privacy Notices; some may include an Opt-out provision; however, most will be a No Opt-out scenario to allow the business to share the information with 3rd parties. You may choose which one to use under your specific policies and procedures as long as the intent is clear to the consumer receiving the notice and includes the required components.
Download the entire Federal Reserve Board document here.
The Office of Foreign Assets Control (OFAC) of the U.S. Department of the Treasury administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the United States.
U.S. persons must comply with OFAC regulations, including all U.S. citizens and permanent resident aliens regardless of location, all persons and entities within the United States, all U.S. incorporated entities, and their foreign branches. In the cases of certain programs, foreign subsidiaries owned or controlled by U.S. companies also must comply. Certain programs also require foreign persons in possession of U.S.-origin goods to comply.
Red Flags Rule
The Red Flags Rule is the core piece of the ITPP program we covered in part one. Regardless of the size of your business, if you don’t have this in place, you need to immediately. What the Red Flags Rule means and how it pertains to credit transactions is simple. Your Red Flags program needs to include policies and procedures for detecting, preventing, and mitigating identity theft and how you plan on identifying potential “Red Flags” signaling the possibility of identity theft or fraud. The fundamental rule is extensive and covers many industries in the U.S.
The Red Flags Rule went into effect November 1, 2008, but was suspended May 1, 2009, to allow creditors to most effectively implement the program. Enforcement began January 1, 2011. Again, if you do not have a program in place already, don’t wait any longer!
Who must comply with the Red Flags Rule?
The FTC requires that financial institutions and creditors conduct periodic risk assessments to determine whether the business has any covered accounts. In part one, we explained the definition of a creditor.
The FTC also clarifies that the prescribed red flags are not a checklist. Instead, the FTC recommends five categories that are simply examples that creditors and financial institutions can use as a launch point.
Here are the five categories of red flags:
- Warnings, alerts, alarms, or notifications from a consumer reporting agency (CRA)
- Suspicious documents
- Unusual use of, or suspicious activity related to, a covered account
- Questionable personally identifying information, such as a suspicious inconsistency with a last name or address
- Notifications from customers, law enforcement authorities, other businesses, and victims of identity theft regarding possible identity theft regarding specified accounts.
At this time, if a transaction is consummated, it is mandatory to perform Red Flags on everyone you pull a hard pull credit report on regardless of whether credit is offered or not. A typical example could be: If a consumer has put a freeze or lock on one or more of the credit reporting agencies stating potential fraudulent activity, it is best to err on the side of caution.
Ensure your compliance program or third-party compliance vendor is accessing multiple extensive databases vs. simply reviewing data returned in a credit report. Also, surprisingly, you need to confirm the information returned during the Red Flags check is current.
Remember, it’s your responsibility to verify and safeguard all consumer data you handle. To learn more, click here.