The rule applies to a wide variety of businesses and non-profit organizations that may not be aware of it or its requirements. Many firms not normally involved with the FTC will have to comply with the rule. There is no exemption for small firms or non-profit groups.
To know whether your business or organization is subject to the Red Flags Rule, you must determine whether you are a “financial institution” or a “creditor” as the regulations define those terms.
Your firm is a financial institution if it is a state or national bank, state or national savings and loan association, state or national credit union, a mutual savings bank, or if it holds accounts or deposits from which consumers can pay or transfer funds to third parties. For example, a mutual fund that offers check writing or debit card privileges is a financial institution for purposes of the rule.
If your firm is not a financial institution, it may still have to comply with the rule if it is a creditor. Your firm is a creditor if it regularly extends credit or arranges with someone else for the extension of credit or makes credit decisions.
This includes organizations that provide products or services and allow for payment at a later date. Examples of creditors include law practices, accounting firms, medical practices, auto dealers and mortgage brokers, to name just a few.
If your firm is a financial institution or a creditor, you must determine whether it offers or maintains covered accounts. A covered account is either a consumer account designed to permit multiple payments or transactions, such as credit card accounts, mortgage loan accounts, cell phone accounts, auto loan accounts or savings or checking accounts, or any other account that poses a reasonably foreseeable risk of identity theft.
Firms will have to evaluate identity theft risk levels by reviewing the methods they use to open accounts, the methods they use to access accounts and any previous experience they have had with identity theft.
If your firm is a financial institution or a creditor but does not offer or maintain covered accounts, you won’t have to develop a written identity theft program now. However, you will have to conduct risk assessments from time to time to determine whether changes have occurred that may cause the Red Flags Rule to apply.
If you determine that your firm is a financial institution or a creditor and offers or maintains covered accounts, you must develop and implement a program designed to detect, prevent and mitigate identity theft. The program must be in writing and it must be formally adopted by your firm’s board of directors or, if you have no board of directors, by a senior management level employee.
The regulations do not provide a model form of identity theft prevention program for all firms to adopt. Instead, they require that each firm adopt a program that is appropriate for itself, taking into account its size, complexity and the nature of its activities.
However, the FTC offers on its Web site guidance and a template that firms with minimal risk of identity theft may use in creating their programs.
The regulations describe certain elements that each program should include. Each program must provide for policies and procedures that will: identify patterns, practices or activities that will alert the firm to the possible occurrence of identity theft—the so-called Red Flags; detect Red Flags that the program has incorporated; respond to any Red Flags that the firm may detect; and ensure that the firm updates its program periodically to account for any changes in risk to its customers.
The regulations list several categories of Red Flags and state that firms should incorporate those that are relevant into their programs. The categories include: alerts received from consumer reporting agencies or fraud detection service providers; presentation of suspicious documents; presentation of suspicious personal identification information; suspicious activity relating to a covered account; and notices from customers, victims of identity theft, law enforcement agencies or others regarding possible identity theft. An appendix to the regulations provides more detailed examples of Red Flags from each category.
If your firm is subject to the Red Flags Rule and fails to develop, adopt and implement an identity theft program by Nov. 1, 2009, it may be subject to enforcement action by the FTC. This could include an action in court seeking an injunction to compel compliance. It could also include a penalty of up to $2,500 per incident of knowingly violating the rules.
The Red Flags Rule applies to a wide range of businesses and non-profit organizations that understandably don’t consider themselves to be financial institutions or creditors and may be unaware of the rule. Still, those firms will have to comply by developing, adopting and implementing programs to detect, prevent and mitigate identity theft.
With a November 1, 2009 deadline fast approaching, firms should act now to determine whether the rule applies to them and if it does, they should begin work soon on their identity theft programs.
The Business Ledger