Are you complying with the Red Flags Rule?
The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs — or “red flags” — of identity theft in their day-to-day operations. By identifying red flags in advance, businesses will be better equipped to spot suspicious patterns that may arise — and take steps to prevent a red flag from escalating into a costly episode of identity theft.
Resources on this site can help business people educate their staff and colleagues about complying with the Red Flags Rule.
What Compliance Looks Like
Your Identity Theft Prevention Program is a “playbook” that must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft. Your Program should enable your organization to:
- identify relevant patterns, practices, and specific forms of activity — the “red flags” — that signal possible identity theft;
- incorporate business practices to detect red flags;
- detail your appropriate response to any red flags you detect to prevent and mitigate identity theft; and
- be updated periodically to reflect changes in risks from identity theft.
The Red Flags Rule also includes guidelines to help financial institutions and creditors develop and implement a Program, including a supplement that offers examples of red flags.
The FTC and the federal financial agencies have issued Frequently Asked Questions and answers to help businesses comply with the Rule.
Who Must Comply with the Red Flags Rule?
The Rule requires “financial institutions” and “creditors” that hold consumer accounts designed to permit multiple payments or transactions — or any other account for which there is a reasonably foreseeable risk of identity theft — to develop and implement an Identity Theft Prevention Program for new and existing accounts. The definition of “financial institution” includes:
- all banks, savings associations, and credit unions, regardless of whether they hold a transaction account belonging to a consumer; and
- anyone else who directly or indirectly holds a transaction account belonging to a consumer.
A change in the law on December 18, 2010 amended the the definition of “creditor,” and limits the circumstances under which creditors are covered. The new law covers creditors who regularly, and in the ordinary course of business, meet one of three general criteria. They must:
- obtain or use consumer reports in connection with a credit transaction;
- furnish information to consumer reporting agencies in connection with a credit transaction; or
- advance funds to — or on behalf of — someone, except for funds for expenses incidental to a service provided by the creditor to that person.
Bookmark this site and check it often for revisions that reflect changes in the law.
Protecting Personal Information: A Guide for Business
Are you taking steps to protect personal information? Safeguarding sensitive data in your files and on your computers is just plain good business. After all, if that information falls into the wrong hands, it can lead to fraud or identity theft.
Avoid ID Theft: Deter, Detect, Defend
A one-stop national resource to learn about the crime of identity theft. It provides detailed information to help you deter, detect, and defend against identity theft.
Provides practical tips from the federal government and the technology industry to help computer users be on guard against Internet fraud, secure their computers, and protect their personal information.
Educates consumers and businesses about the importance of personal information privacy, including the security of personal information.