On June 1, the Federal Trade Commission begins enforcing “Red Flag” rules, which require businesses to implement anti-identity theft policies. Created through Fair and Accurate Credit Act of 2003, the regulations require businesses that extend credit to consumers to develop a written policy that identifies warning signs and suspicious activities (i.e., red flags) of possible identity theft, and tactics to address and prevent it. If your business defers payment for goods or services, you must follow the Red Flag rules.
The new rules apply to entities that “regularly extend, renew or continue credit.” The FTC defines these creditors as banks, credit unions, mortgage and finance companies, vehicle dealers, utility companies and municipal utility districts, and telecommunications companies. However, accounting firms, law firms, not-for-profit and government agencies that regularly defer payment of goods and services are also considered creditors. Doctors, dentists and hospitals are also considered creditors.
If your company is subject to the rules, you need a program for “covered accounts.” Covered accounts include most accounts used for personal, family or household purposes that involve multiple payments or transactions. These include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, employer-provided individual retirement accounts, checking accounts and savings accounts.
Your Red Flag program should include:
- A written policy reflecting procedures to identify red flags that are relevant to your business and used in your day-to-day operations, such as how you will verify identity and authenticate customers in-person, online, mail, internet, etc. Explain how new accounts versus existing accounts will be handled.
- Policies and procedures to detect possible identity theft once identified, and how you will prevent or mitigate identity theft.
- How the policies will be revised as technology is upgraded and new tactics are used over time.
- An approval and reporting mechanism with your company’s board of directors or lacking one a senior executive. At least an annual report detailing the effectiveness of the policy, response to any identity theft issues experienced and recommendations for changes to the policy.
An attorney knowledgeable on Red Flag regulations can assist you in creating this document. Many state and national business associations such as the American Medical Association have established industry-specific sample Red Flag policies.
If your business is subject to the regulation and you don’t put a Red Flag program in place, you could be penalized. The FTC can enact penalties up to $3,500 for each violation of the rule. States can also impose up to $1,000 per violation plus attorney fees. Customers can also file civil suits to recover actual damages sustained due to a violation. The rules not only open the door to damages to a company’s reputation, but also class action law suits, which could result in massive damages.
You can learn more about Red Flag rules at www.ftc.gov/opa/2009/10/redflags.shtm.