The Nov. 1 deadline for new data security regulations required for many companies has just arrived.

Known as FACTA (Fair and Accurate Credit Transactions Act), the rules require covered entities to re-examine their ID theft prevention policies and implement new procedures and business practices.

More specifically, FACTA requires a written ID theft prevention policy that includes polices that identify “patterns, practices or specific activities that could indicate identity theft,” according to the FTC (Federal Trade Commission). Violators of the new rules can be subject to civil penalties of up to $2,500 per violation.

The new regulations – also known as Red Flag rules — have long been thought to only apply to financial institutions such as banks, savings and loans, mortgage lenders and credit unions, but as the compliance deadline nears, SMBs (small and midsize businesses) are concerned the rules may also cover them. While clearly targeting financial institutions, the rules also cover “any person or business” that arranges for customer credit.

“A creditor includes anyone who regularly extends credit to their customers, but the definition is not limited to that and can be broader,” said Frank Dorman, a spokesman for the FTC.

The agency defines a creditor as “any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit.”

A business alert issued by the FTC adds, “Accepting credit cards as a form of payment does not in and of itself make an entity a creditor.”

When asked if the Red Flag rules apply to SMBs, Steve Neville, Entrust’s director of identity products and solutions, replied, “Technically not, but it is a devilishly detailed question.”

Neville said most companies that extend credit to customers are doing so through an intermediary such as GE Creditline. In that case, GE would assume responsibility for FACTA compliance. Companies that don’t use intermediaries would be subject to the Red Flag rules.

The FTC added the Red Flag rules to FACTA in January. Businesses are required to define policies for recognizing red flags in identity verification. Typical red flags include discrepancies in address histories, fraud alerts on consumer reports, questionable use of Social Security numbers, credit freeze notifications and unusual patterns of customer activities.

Tags: credit, FACTA, law