Essentials - Winter 2010

Raising the Red Flags
Red Flags Rule to take effect June 1 - Are you prepared?

Now that the Federal Trade Commission has extended enforcement of the Red Flags Rule until June 1, 2010, organizations subject to this rule have more time to develop and implement written policies to combat identity theft. If your organization is subject to the Rule and you haven’t already implemented a so-called "Identity Theft Prevention Program," now is the time to understand your responsibilities.

Who must comply

The Red Flags Rule requires "creditors" and "financial institutions" to develop and implement written identity theft prevention programs to help identify and respond to specific activities, known as red flags, that might signal identity theft. The Rule applies to groups that might not actually consider themselves creditors or financial institutions. In fact, the rule applies to any organization that:

• directly or indirectly holds a transaction account belonging to a consumer; or

• regularly defers payment for goods or services or provides goods or services and bills customers later.

Most organizations who invoice clients or customers must comply. Examples include organizations that bill for services previously provided, allow members to pay dues or pledges in installments, provide loans, or offer a plan for payment of tuition throughout the semester.

If your organization fits into one of these categories, it must implement a written policy if it has "covered" accounts. A covered account is:

• a consumer account you offer customers that is designed primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions; or

• any other account for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the organization from identify theft.

Designing an appropriate program

After determining that the Red Flags Rule applies, you should design an identity theft prevention program that is tailored to the size of your organization and your risk of identity theft. The FTC advises that your program should include four basic elements, as outlined below.

Identify relevant red flags. Your program should outline, in written form, possible red flags your organization might face. In order to help organizations detect the warning signs of potential identity theft, the FTC provided the following list of categories of common red flags.

1. Alerts, notifications, and warnings from a credit reporting company.

2. Suspicious documents, such as a person who does not look like the photo on the identification provided.

3. Suspicious personal identifying information, such as an address for a mail drop.

4. Suspicious account activity, such as information that the customer is not receiving statements in the mail.

5. Notice from other sources, such as a law enforcement authority.

Detect red flags. It’s not enough to simply list the possible red flags – you must also have procedures in place to detect them. For instance, if you’ve determined that a red flag might be a member who is not receiving monthly statements in the mail, you should have a procedure in place for identifying which members are or are not receiving statements.

Prevent and mitigate identity theft. Your program should describe what action should be taken when a red flag is detected. Using the example of the monthly statement red flag, your policy should outline what should be done (and by whom) to follow up with a member who indicates they are not receiving their monthly statements.

Update your program. Your organization should review your prevention program regularly to ensure you aren’t overlooking any identity theft risks. Put your review schedule in writing within the program to help you re-evaluate in a timely manner.

Program administration

The FTC considers this identity theft prevention program so important that each organization’s initial written program must have the approval of the organization’s board of directors or an appropriate committee of the board. The Rule also requires training for appropriate staff members, specifically those who are most likely to detect or deter identity theft. And, you should inquire whether your subcontractors or business partners are in compliance with the Red Flags Rule, if it applies to them. The FTC suggests including a Red Flags Rule provision in your contracts or requesting a copy of their prevention program.

Failure to comply with the Red Flags Rule might expose your organization not only to litigation risks, but also to the risk of substantial penalties levied by the FTC. You can find more information on this topic at http://www.ftc.gov/redflagsrule or on our Web site at www.williamskeepers.com/resources.html.

Click here to view the article in PDF format.

Back to News page

Columbia, MO (573) 442-6171  |  Jefferson City, MO (573) 635-6196  |  information@williamskeepers.com

Member, PKF North American Network  |  Copyright © 2008 Williams-Keepers LLC