Many Will Need to Comply With the Red Flag Rules
Story Highlights
|
- A “red flag” is defined by the FTC as “a pattern, practice, or specific activity that indicates the possible existence of identity theft.”
- The extended deadline does not apply to banks and federal credit unions.
- Organizations that do not comply with the Red Flag Rules may be fined if an identity theft incident occurs.
- LarsonAllen can provide templates to assist businesses in determining whether the rules apply, and developing policies and procedures.
|
The Federal Trade Commission (FTC) is instituting sweeping regulations intended to help protect consumers from identity theft. The new rules require certain businesses and organizations to develop a written policy that detects the "red flag" warning signs of identity theft that are applicable to their organization.
The extended deadline does not apply to all business entities
The deadline for developing a written Identity Theft Prevention Program has been extended to May 1, 2009 for businesses and organizations whose federal regulator is the FTC. For financial institutions (other than state-chartered credit unions), the November 1, 2008 mandatory compliance date still stands.
The rules apply to a broad group of entities, including banks, auto dealers, utility and telecommunication companies, and mortgage brokers. The law also applies to government and nonprofit organizations, such as colleges, bookstores, hospitals, and clinics.
"Performing a risk assessment to determine whether the rules apply is an absolute requirement for just about every organization," says Nancy Stertz, a compliance manager with LarsonAllen. "The risk assessment and the development of a written policy will not only help you comply with the regulation, it can also identify your areas of vulnerability."
According to the FTC, a red flag is “a pattern, practice, or specific activity that indicates the possible existence of identity theft.” The FTC expects businesses to internally mitigate the possibility of identity theft.
Who’s affected
The FTC's Red Flag Rules put the responsibility for securing, handling, and monitoring the use of personal information on creditors. If your organization offers, extends, or arranges for consumer credit, or defers payment for your products or services, you must develop, adopt, and implement a written Identity Theft Prevention Program (ITPP).
Entities that maintain consumer credit include:
- State and national banks
- Savings and loan associations
- Mutual savings banks
- Credit unions
- Any entity that holds a “transaction account” (accounts where the owner makes payments or transfers)
Implementing an ITTP
A business’ ITTP must contain policies and procedures to:
- Identify red flags relevant to your business or organization
- Detect and respond to red flags
- Monitor policies and procedures and adapt accordingly to new types of identity theft
- Train staff
- Provide oversight to service providers
If a creditor does not comply and there is an incident of identity theft, the FTC will investigate. If the FTC finds a violation, it may impose an injunction requiring compliance and the payment of civil penalties of up to $2,500 for each violation. If the business still does not comply, a federal lawsuit could be filed for up to $11,000 per subsequent violation.
How we can help
LarsonAllen has already been working with clients to comply with these regulations. We can provide training materials for employees, and templates for performing your risk assessment and developing policies and procedures. More importantly, we can help companies tailor policies to their specific organizational structure.
For more information contact Nancy Stertz, or read the FTC bulletin.