|
|
 |
Ready for the New Red Flags Rule on Identity Theft?
David A. Stiefel, MBA, CPA/PFS
Principal and Director, Family and Closely Held Business Services
August 10, 2009
UPDATE
Two weeks ago we notified you of a pending deadline regarding the new Red Flags Rule. The FTC has since announced a three-month delay in implementing the Rule, now scheduled to take effect on November 1, 2009.
According to the FTC, one reason for the delay is that small business and other entities with a low risk of identity theft are uncertain about their obligations under the Rule. The FTC needs time to educate them regarding compliance―including additional guidance on whether they are covered and what they must do to comply.
Another reason for the delay is that the FTC has recognized the risk of identity theft is extremely low for certain small businesses and not-for-profit organizations. In these cases, according to the FTC, its staff is not likely to take action to enforce compliance. The FTC cites the following examples:
 You know your clients individually―as is the case with many professional service firms―so the chance that an identity thief could impersonate a client is extremely low.
You provide services to customers at their homes, which minimizes the risk because identity thieves generally do not want their home addresses known.
You operate in a sector where identity theft is extremely rare.
To read the FTC's news release on the new implementation, click here.
July 27, 2009
Red flags have warned us of danger for hundreds of years, so it's not surprising they're now being used to address another growing danger in America: identity theft, which claims nearly ten million victims each year.
Under a new federal law most financial institutions and other businesses, including some not-for-profit organizations, must take action. This new law, commonly referred to as the Red Flags Rule, requires businesses and organizations that extend credit to clients and customers―even those with a low risk for identity theft―to develop written programs to "prevent, detect, and minimize the damage from identity theft."
The Rule currently applies to financial institutions that fall under the jurisdiction of the federal bank regulatory agencies and the National Credit Union Administration. However, as of August 1, 2009, it also applies to financial institutions under the jurisdiction of the Federal Trade Commission (FTC), as well as many businesses and not-for-profit organizations.
If you're a business or not-for-profit organization that accepts deferred payments for your products and/or services, the Red Flags Rule may now apply to you. In fact, according to the FTC, "most businesses and organizations that provide products and services to their customers and then bill them later are covered by the Rule." This includes professional service firms, such as medical and dental practices, law firms, consulting businesses, and accounting firms.
If you're subject to the Red Flags Rule and you're not in compliance, the resulting financial penalties can be substantial, so it pays to know the basics.
How to Determine If You're Subject to the Rule
You're subject to the Red Flags Rule if you're a financial institution or a creditor, and you have covered accounts.
The FTC defines these terms as follows:
 Financial Institution: "a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other person that, directly or indirectly, holds a transaction account belonging to a consumer."
Creditor: "businesses or organizations that regularly defer payment for goods or services or provide goods or services and bill customers later." Simply accepting credit cards as a form of payment does not establish a creditor relationship under the Rule.
The definition of creditor also encompasses "one who regularly grants loans, arranges for loans or the extension of credit, or makes credit decisions." It includes "anyone who regularly participates in the decision to extend, renew, or continue credit, including setting the terms of credit."
Covered Account: existing and new accounts that fall into either of two categories: (1) "a consumer account you offer your customers that's primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions," or (2) "any other account that a financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft."
What You Need to Do to Comply
The Red Flags Rule was designed to provide financial institutions, businesses, and not-for-profit organizations with the flexibility to create identification and prevention programs for identity theft that are tailored to their unique sizes and risk factors. However, the Rule did establish certain requirements that create a common framework.
If you're subject to the Rule, you must "develop, implement, and administer" a written identity theft program that includes the following four elements:
Identification: "reasonable policies and procedures" to identify the "suspicious patterns or practices, or specific activities, that indicate the possibility of identity theft―in other words, the red flags. Examples of possible red flags include invalid phone numbers or nonexistent addresses, sudden activity in a long-dormant account, a major change in spending patterns, or a Social Security number that is listed as either not issued or issued to a now-deceased person.
Detection: procedures to actually detect the suspicious activities and practices that you've identified as red flags.
Prevention and Mitigation: actions to be taken when suspicious activities are detected.
Reassessment: periodic re-evaluation of the program's identification and detection policies in order to address new threats.
Your written program must be approved by your board of directors or, if you don't have a board, by an appropriate senior-level employee. It must identify the person responsible for implementing and administering the program. And it must provide for adequate staff training and compliance monitoring.
The Penalty for Violations
If you're subject to the Red Flags Rule and found to be in violation, the civil penalty is a maximum of $2,500 per violation.
Because each client or customer account can be considered a separate violation, the total penalty can be quite substantial.
For More Information
The FTC has created a website with resources to help businesses and not-for-profit organizations understand and comply with the Red Flags Rule: http://ftc.gov/redflagsrule.
The site includes a downloadable version of the publication Fighting Fraud With The Red Flags Rule: A How-To Guide for Business at http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus23.pdf. It includes a detailed discussion of risk factors, sources of red flags, and categories of common red flags.
|
|
