Enforcement of Red Flags Rule Delayed
Although certain organizations should already be in compliance with the Red Flags Rule, the Federal Trade Commission (FTC) released a bulletin at the end of April announcing the decision to postpone enforcement until August 1, 2009.
The delay only applies to organizations regulated by the FTC. Federally regulated financial institutions and nationally chartered credit unions had a mandatory November 1, 2008, compliance date.
This rule requires creditors to detect, prevent, and mitigate the “red flag” warning signs of identity theft by implementing a written Identify Theft Prevention Program (ITPP). Hopefully, most affected organizations have a plan in place considering this isn’t the first time the enforcement deadline has been extended.
“The FTC delayed the effective date to give smaller struggling organizations more time to understand the new rules, but we cannot expect this to happen again. In this economic environment, the chances of identity theft seem even greater, making it imperative organizations act now,” urges Nancy Stertz, a compliance manager with LarsonAllen.
What is a “red flag” and does the regulation apply to your business?
A “red flag” is defined by the FTC as “a pattern, practice, or specific activity that indicates the possible existence of identity theft.”
The Red Flags Rule is a result of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). Any organization that offers, extends, or arranges consumer credit or defers payments for products and services was expected to develop, adopt, and implement a written ITPP by November 1, 2008. Enforcement is what has been delayed, not compliance.
These rules apply to a broad group of entities, including banks, dealerships, utility and telecommunication companies, and mortgage brokers. The law also applies to government and nonprofit organizations, such as colleges, bookstores, hospitals, and physician practices.
“Assessing how at risk your company is for identity theft is an absolute requirement for just about every organization,” says Stertz. In addition, she points out that the rules only require an annual review of the ITPP program, but we recommend updating it as often as the work environment changes.
The extended deadline doesn’t apply to all
The deadline for developing a written ITPP was not extended for businesses and organizations that are federally regulated by the FTC. For financial institutions (other than state-chartered credit unions), complying by November 1, 2008, is still mandatory.
What your ITPP needs to include
The program must contain policies and procedures to:
- Identify “red flags” that appear within “covered accounts”
- Detect and respond to “red flags”
- Monitor your policies and procedures to determine if changes have occurred based on new types of identity thefts
Penalties for noncompliance
If an organization does not comply and there is an incident of identity theft, the FTC will investigate. If a violation has occurred, the FTC may impose an administrative settlement, which could result in an injunction requiring the company to comply with the Red Flags Rule and pay civil penalties of up to $2,500 for each violation. If the organization still does not comply with the rules, a federal lawsuit could be filed for up to $11,000 per subsequent violation.
How we can help
LarsonAllen is experienced in handling information security risks. We can help you perform a risk assessment to identify your areas of vulnerability. In addition, we will provide training materials and templates to assist in developing policies and procedures specific for your organizational structure.
“The FTC plans to publish a template to help entities that have a low risk of identity theft comply with this law,” says Stertz.
For more information, contact Nancy Stertz or visit these helpful FTC Web resources: