In December of 2003, then President Bush signed into law the Fair and Accurate Credit Transactions Act, now commonly referred to as “FACTA”.  The purpose behind FACTA was to protect the public from the ever increasing threat of identity theft and to provide six federal agencies the ability to do something about it.  

Confusing and changing effective dates

It took almost four years, or until November 2007, for the agencies to draft, collect public comment, agree upon and adopt their collective regulations.  The FTC (although not the other five agencies) has repeatedly given financial institutions and creditors, the two groups impacted and subject to the Red Flags provisions of the law additional time to come into compliance with those portions of the Regulations. 

The newest final Red Flags compliance date of June 1, 2010, meaning the FTC’s enforcement of the Red Flags Rules is now just around the corner.  (See http://www.ftc.gov/os/2009/10/091030redflagsrule.pdf.)  Are you or your property manager ready for compliance? 

For the purposes of the other agencies and their enforcement of the law, the law is already in effect and being enforced.  These varying and changing enforcement dates has made it somewhat confusing for the impacted businesses to understand what was needed, or is still needed, to be in compliance for the various portions of the law, and by what date the procedures needed or still need to be in place. 

Confusing coverage

The other confusing aspect of this legislation is its broad spectrum impact and the challenges and modifications it has undergone. 

The legislation as it was first enacted went far beyond the typical financial institutional coverage, and included businesses such as hospitals, car dealerships and utility companies as “creditors”.  Furthermore, a “covered account” can be any account which has a risk of identity theft, suggesting that pretty much any account held by a covered business or sole proprietorship can be included as a “covered account”. 

The coverage issue has also been weighed in on by the judicial system.  On October 30, 2009, a U.S. District Court Judge for the District of Columbia ruled that practicing attorneys are not creditors under FCRA and therefore do not have to comply with the Red Flags Rule. (See http://www.abanet.org/media/docs/ABA_v._FTC_Amended_Order.pdf)

Just last year, on October 20, 2009 the coverage confusion was continued, rather than clarified. The House of Representatives unanimously approved HR 3763 (http://thomas.loc.gov/cgi-bin/bdquery/z?d111:h.r.3763:), a bill to exempt from the coverage of the Red Flags Rule any health care, accounting, or legal practice with twenty or fewer employees, as well as certain “other businesses”.  The exemption makes it clear that Congress intended to provide some relief to small businesses (those with less than 20 employees).  But it also tells us that these specific business types with more than 20 employees were to be included in the coverage. 

However, it is the “other business” exemption that is problematic as it includes this interesting exemption: 

“(D) any other business, if the Commission determines, following an application for exclusion by such business, that such business—

‘(i) knows all of its customers or clients individually;

‘(ii) only performs services in or around the residences of its customers; or

‘(iii) has not experienced incidents of identity theft and identity theft is rare for businesses of that type.”  (See http://www.govtrack.us/congress/billtext.xpd?bill=h111-3763)

Presumably, a business must formally apply for and receive approval for an exemption under Section D.  The FTC had 180 days from enactment of H3763 to provide an exemption application procedure to the public.  Such a procedure will likely make this exclusion provision expensive and difficult to utilize for the small business owner it was probably designed for and intended to assist. 

Why Congress would provide a “small business” exemption and only to require a “big business” application procedure to take advantage of it?  The result seems silly and wasteful.  At a time when small business is publically revered and lauded as the solution to our current economic woes, Congress is saddling small business with yet another confusing and expensive regulatory obligation. 

Unfortunately, landlords and property management companies were neither specifically named as examples of covered businesses, nor not named as exempt businesses in the legislation.  But I believe it is clear if one uses the plain meaning of words and the language of the legislation, that property management leasing and rental activities are covered by it.  Furthermore, the activities of a landlord are specifically called out as high risk for identity theft in an article written by FTC staff entitled:  “The Red Flags Rule: Compliance Tips for Companies Offering Services In and Around the Home” (see:http://www.ftc.gov/bcp/edu/pubs/articles/art15.shtm). 

A triad of regulations

There are three basic parts to the regulations, two of which likely cover property owners and managers. 

• Address Discrepancy

The second portion of the regulation, already being enforced, requires users of consumer reports to adopt and implement policies and procedures to verify an identity if and when they receive a notice of address discrepancy from any one of the consumer reporting agencies.  As users of consumer reports, landlords and property managers are subject to this element. 

• Debit or Credit Card Address Change

The third aspect of the regulation requires issuers of debit and credit cards to adopt and follow procedures designed to validate address change requests, under certain circumstances.  This portion is also already being enforced.  Since owners and managers do not issue debit and credit cards, they are not subject to this portion of the law. 

•  Red Flags Rule

The final and most complicated portion of the legislation is the “Red flags” portion.  This is the portion which the FTC will begin enforcing as of June 1, 2010.  When covered by the regulation, financial institutions and creditors must implement an identity theft program designed to detect, prevent, and mitigate identity theft in connection with covered accounts held by the financial institution or creditor.  Landlords are likely covered as “creditors” and it is likely our client and resident “accounts” are covered. 

Address discrepancies

The rule requires consumer credit reporting agencies to notify the user of the report if there is an address discrepancy between the address on record for the consumer and the address entered by the company who ordered the report.  Once in receipt of such a notice, the onus is on the report holder to take action to form a reasonable belief of the identity of the consumer. 

Every person or business using the common tool of credit reports is subject to the requirement and obligations of this portion of the rule.  And landlords are specifically called out for compliance in Section l.8(c) of the Federal Register.  (Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations.  See generally: http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf.)

Property management companies and residential property owners should have already adopted policies and procedures to deal with applicant address discrepancies.  For property owners and managers this means that when reviewing an applicant’s credit report, if an address discrepancy is reported, the prospective landlord or management company must have a procedure in place to investigate and resolve the reported discrepancy(s).

Appropriate follow up response procedures might include the request of a written explanation from the applicant, the internal verification that the address discrepancy is not a name mix-up or name misspelling, or an error related to the address belonging to someone with a similar or identical name who is not your applicant. 

Debit and credit card address change requests

Any issuer of a debit or credit card is now required by law to have safeguards in place to verify the validity of a change of address request.   A typical identity thief will notify a credit card issuer of a request for address change and have new cards issues and or the monthly statements then sent to the new address, thereby making the fraud harder to uncover for the card holder who never receives the new card(s) or the statements. 

Consequently change of address events are high risk procedures, often acting as an early warning detection of an identity theft incident.  Change of address verification procedures should reduce the number of successful identity theft occurrences. 

As property owners and managers do not issue debit or credit cards, it is logical that this portion of the regulations will not impact this group.  Furthermore, it is difficult to see how the typical address change scam could apply to a residential housing lease or a landlord-tenant relationship (assuming the resident is currently occupying a unit for which you are responsible).  So unless as a landlord you are issuing credit or debit cards (highly unlikely), or partnering with such a company in an unrelated business venture, you are probably not covered by this portion of the rules.       

The Red Flags Rule

In our next article, the specific details of the Red Flags rule are broken down and analyzed to provide the reader a basic understanding of the Red Flags Rule portion of the legislation. 

How to comply as a property owner or manager?

By now you are likely scratching your head wondering how to comply with this legislation as a property manager or owner.  The answer to this question will be discussed in Part 3 of the series: Red Flags Compliance for Property Owners and Managers.  Coming soon!



Update: