Red Flag Rules Take Effect November 1, 2009
The Red Flags Rule will take effect on November 1, 2009. This rule, enforced by the Federal Trade Commission (FTC), requires businesses and organizations to develop and implement a written Identity Theft Prevention Program designed to detect signs, or “red flags” of identity theft in their daily operations, take steps to prevent it and mitigate the danger caused by it.
The Red Flags Rule applies to “financial institutions” and “creditors” who have “covered accounts.” Financial institutions include banks, credit unions, or any other entity that holds a transaction account belonging to a customer, whether directly or indirectly, and that offers accounts where the customer can make payments or transfers to third parties.
Creditors include businesses or organizations that regularly defer payment for goods or services, or who provide goods and services and bill customers later. Creditors are also entities who regularly offer, arrange for or extend credit to customers. Utility companies, health care providers, telecommunications companies, law firms, finance companies, mortgage brokers and real estate agencies, automobile dealers and retailers that offer financing or help consumers get financing from others fall into this category.
NOTE: Simply accepting credit cards as a form of payment does not designate you a creditor under the Red Flags Rule.
Covered accounts are those that are offered primarily for personal, family or household uses that permit multiple payments or transactions, or an account for which there is a reasonable risk of identity theft. Examples are credit card accounts, loans, utility accounts, bank accounts and small business accounts.
Your Identity Theft Program must include four (4) basic elements:
- You must institute reasonable policies and procedures to identify the “red flags” that you may run across in the daily operation of your business, suspicious patterns, practices, or specific activities that indicate the possibility of identity theft.
- The program must be designed to detect the red flags described in your policies. For example, if you have identified fake driver’s licenses as a red flag, then you must have procedures in place to detect them.
- Your program must spell out the appropriate actions to take when red flags are detected.
- You must address the methods by which you will re-evaluate your procedures periodically to ensure they are relevant at all times.
You will also need to designate the person from your organization who will be responsible for implementing and administering the plan effectively, and offer appropriate staff training. You must also address how you will monitor your contractors’ compliance. Finally, the head of your company must approve the plan, whether it be the Board of Directors or an appropriate senior employee in your organization.
For more information, please see:
http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus23.pdf and frequently asked questions at http://www.ftc.gov/bcp/edu/microsites/redflagsrule/faqs.shtm.