The Red Flags Rule applies to “financial institutions” and “creditors” who have “covered accounts.” Financial institutions include banks, credit unions, or any other entity that holds a transaction account belonging to a customer, whether directly or indirectly, and that offers accounts where the customer can make payments or transfers to third parties.

 Creditors include businesses or organizations that regularly defer payment for goods or services, or who provide goods and services and bill customers later.  Creditors are also entities who regularly offer, arrange for or extend credit to customers.  Utility companies, health care providers, telecommunications companies, finance companies, mortgage brokers and real estate agencies, automobile dealers and retailers that offer financing or help consumers get financing from others fall into this category.   

NOTE:  Simply accepting credit cards as a form of payment does not designate you a creditor under the Red Flags Rule. 

Covered accounts are those that are offered primarily for personal, family or household uses that permit multiple payments or transactions, or an account for which there is a reasonable risk of identity theft.  Examples are credit card accounts, loans, utility accounts, bank accounts and small business accounts.

An Identity Theft Program must include four (4) basic elements:

1.  Reasonable policies and procedures to identify the “red flags” that companies may run across in the daily operation of business, suspicious patterns, practices, or specific activities that indicate the possibility of identity theft.

2.  The program must be designed to detect the red flags described in the policies.  For example, if you have identified fake driver’s licenses as a red flag, then you must have procedures in place to detect them.

3.  The program must spell out the appropriate actions to take when red flags are detected.

4.  Employers must address the methods by which they will re-evaluate their procedures periodically to ensure they are relevant at all times.

Employers will also need to designate the person from the organization who will be responsible for implementing and administering the plan effectively, and offer appropriate staff training.  Employers must also address how to monitor contractors’ compliance.  Finally, the head of the company must approve the plan, whether it be the Board of Directors or an appropriate senior employee in the organization. 

For more information, please see the FTC’s pamphlet, Fighting Fraud with the Red Flags Rule:  A How-To Guide For Business.

The rule applies to all businesses in the Commonwealth, who collect and retain personal information in connection with the provision of goods and services or for the purposes of employment. All policies must be in writing, but the scope and complexity of the policy is dependent on the nature and scope of each business.  Employees must be trained on what they need to do to protect confidential information.

The updates to the legislation cover four (4) areas:

1. The rule adopts a risk-based approach.  Businesses are required to establish a written security program that takes into account the particular business’ size, scope of business, amount of resources, nature and quantity of data collected or stored, and the need for security.  This is particularly important for small businesses who typically do not handle or store large amounts of personal and confidential information.
2. What had been requirements for inclusion in policies have been removed, and should be used as guidance only.
3. The encryption requirement has been changed to be technology neutral and technical feasibility has been applied to all computer security requirements.
4. The third party vendor requirements have been changed to be consistent with Federal law.

The statute can be found at http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf, and FAQs can be found at http://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf.

The Red Flags Rule applies to “financial institutions” and “creditors” who have “covered accounts.” Financial institutions include banks, credit unions, or any other entity that holds a transaction account belonging to a customer, whether directly or indirectly, and that offers accounts where the customer can make payments or transfers to third parties.

Creditors include businesses or organizations that regularly defer payment for goods or services, or who provide goods and services and bill customers later.  Creditors are also entities who regularly offer, arrange for or extend credit to customers.  Utility companies, health care providers, telecommunications companies, law firms, finance companies, mortgage brokers and real estate agencies, automobile dealers and retailers that offer financing or help consumers get financing from others fall into this category.

NOTE:  Simply accepting credit cards as a form of payment does not designate you a creditor under the Red Flags Rule.

Covered accounts are those that are offered primarily for personal, family or household uses that permit multiple payments or transactions, or an account for which there is a reasonable risk of identity theft.  Examples are credit card accounts, loans, utility accounts, bank accounts and small business accounts.

Your Identity Theft Program must include four (4) basic elements:

1. You must institute reasonable policies and procedures to identify the “red flags” that you may run across in the daily operation of your business, suspicious patterns, practices, or specific activities that indicate the possibility of identity theft.
2. The program must be designed to detect the red flags described in your policies.  For example, if you have identified fake driver’s licenses as a red flag, then you must have procedures in place to detect them.
3. Your program must spell out the appropriate actions to take when red flags are detected.
4. You must address the methods by which you will re-evaluate your procedures periodically to ensure they are relevant at all times.

You will also need to designate the person from your organization who will be responsible for implementing and administering the plan effectively, and offer appropriate staff training.  You must also address how you will monitor your contractors’ compliance.  Finally, the head of your company must approve the plan, whether it be the Board of Directors or an appropriate senior employee in your organization.

For more information, please see:

http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus23.pdf and frequently asked questions at http://www.ftc.gov/bcp/edu/microsites/redflagsrule/faqs.shtm.