Another Red Flags Rule Delay for Small Businesses
The Federal Trade Commission (FTC) granted small businesses another break by postponing the enforcement of the Red Flags Rule
until November 1, 2009. Technically, entities that are considered creditors should already be in compliance with this anti-fraud regulation; however, now they have three more months to fully implement a written Identify Theft Prevention Program (ITPP).
The FTC deferred the decision to enforce the Red Flags Rule in response to pleas from the House Appropriations Committee to ease compliance for small struggling businesses and health care providers at low risk for identity theft.
“We thought the August delay would be the last, but it is now apparent that we cannot predict what will happen next. At this point, all we can do is assume the rules will go into effect on November 1 and plan accordingly,” says Nancy Stertz, a compliance manager with LarsonAllen.
The FTC also enhanced its red flags education campaign. The online how-to guide includes tools to help businesses understand if the rule applies to them, comply with it, and design an ITPP.
According to Stertz, “The FTC’s online resources will be useful to businesses with a low risk of identity theft, but entities with higher risks need to do more analysis and documentation.”
Definition of a “red flag” and the entities covered by the rule
A “red flag” is defined by the FTC as “a pattern, practice, or specific activity that indicates the possible existence of identity theft.”
The Red Flags Rule is a result of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). Enforcement of this rule is what has been delayed, not compliance. So any organization that offers, extends, or arranges consumer credit or defers payments for products and services was expected to develop, adopt, and implement a written ITPP by November 1, 2008.
Generally, this fraud prevention rule applies to a broad group, including banks, dealerships, utility and telecommunication companies, mortgage brokers, health care providers, governmental entities, nonprofit organizations, and any other creditors.
The extended deadline does not apply to all
The deadline for developing a written ITPP was not extended for businesses and organizations that are federally regulated by the FTC. For financial institutions (other than state-chartered credit unions), complying by November 1, 2008, is still mandatory.
Requirements of an identify theft prevention program
Your ITPP must contain policies and procedures to:
- Identify “red flags” that appear within “covered accounts”
- Detect and respond to the “red flags”
- Monitor your policies and procedures to determine if changes have occurred based on new types of identity thefts
“These rules only require a periodic review of the ITPP, but it’s wise to update your program as often as the work environment changes,” recommends Stertz.
According to Stertz, examples of work environment changes could include:
- A change in computer systems or third party service providers
- New experiences with identity theft
- Offering new products or services
Penalties for noncompliance
If an organization does not comply and there is an incident of identity theft, the FTC will investigate. If a violation has occurred, the FTC may impose an administrative settlement, which could result in an injunction requiring the company to comply with the Red Flags Rule
and pay civil penalties of up to $2,500 for each violation. If the organization still does not comply, a federal lawsuit could be filed for up to $11,000 per subsequent violation.
How we can help
LarsonAllen is experienced in handling information security risks. If your business is at low risk for identity theft, we can guide you through the FTC’s templates. We can also help organizations perform risk assessments to identify areas of vulnerability. We tailor our training materials and templates for your organizational structure and industry. For more information, contact Nancy Stertz
or principal in your region
Helpful FTC links