The Red Flags Rule & Its Impact on Financial Institutions
Each year, more than nine million Americans are the victims of identity theft. Often times, there are red flags – that is, potential patterns, practices or activities indicating the possibility of identity theft – before it actually happens.
The Federal Trade Commission’s (FTC) Red Flags Rule requires affected businesses to take an active role in recognizing and stopping identity theft. Specifically, this is accomplished through a mandatory, written identity theft prevention program coupled with employee training. The rule is enforced by the FTC, the federal bank regulatory agencies and the National Credit Union Administration. Failure to comply can bring a fine of up to $2,500 per instance for willful and knowing violations.
Businesses Required to Comply
The Red Flags Rule applies only to financial institutions and creditors who have, or work with, covered accounts. The FTC defines the scope of these terms as outlined below.
A financial institution, according to the FTC, is any business holding a transaction account that belongs to a consumer or any institution that offers accounts where the consumer can make payments or transfers to third parties. Examples include:
- State/national banks
- State/federal savings and loan associations
- Mutual savings banks
- State/federal credit unions
- State-chartered credit unions
- Mutual funds that offer accounts with check writing privileges
The FTC’s definition of a creditor is any business or organization that regularly provides goods or services and then either defers payment or bills customers later. Also included in this group is anyone who regularly grants loans, arranges for loans, arranges for extension of credit, sets the terms of credit or makes credit decisions.
Covered accounts are those offered to customers for personal, family or household purposes that are designed to permit multiple payments or transactions. Accounts that have a “reasonably foreseeable” risk of identity theft are also considered covered accounts under the rule even if they are not for personal use. Analyzing how these accounts are accessed, how many people they can be accessed by and the accounts’ past identity theft history will determine whether owners of these accounts must be compliant with the rule.
How to Comply
If you have determined, according to the FTC’s financial institution criteria, that you must comply with the Red Flags Rule, then you are required to develop and implement a written identity theft prevention program. For small businesses that must comply but are at low risk, the FTC supplies an online program to aid in program development.
According to the FTC, this new rule gives financial institutions the flexibility to tailor their programs based on their unique risks, and compliance will be based on how reasonably each business assesses these risks. Therefore, the FTC’s only direction is that your program must be appropriate to your organization’s size, complexity and the nature of its activities. High-risk companies for identity theft should implement more comprehensive programs. Here are some important steps to include in your program:
- Recognize ID Theft Red Flags
Recognize identity theft red flags and ensure through proper training that your staff is able to spot them, as well. Also identify the sources of these red flags; for example, alerts from a credit reporting company, suspicious documents or personal identification information, and suspicious account activity.
- Monitor Day-to-Day Activity
Detect red flags in your day-to-day activity. One way to do so is by establishing a written procedure for verifying or authenticating both new and existing accounts.
- Take Extra Precautions
Take extra precautions such as changing passwords or security codes periodically, monitoring accounts, contacting the customer regularly and reopening old accounts with new account numbers.
- RE-Evaluate the Program annually
Ensure that you will re-evaluate the program at least annually and update it as needed. Also include how you plan to train the appropriate staff to identify, detect, respond to and prevent red flags and identity theft.
Before implementing your program, it must get the approval of your board of directors or a member of senior management. The FTC also requires you outline who will be in charge of administering, overseeing and carrying out the program. For help determining whether you need to comply with the Red Flags Rule or for further advice on building your plan, visit the FTC’s website.
For more information, contact a CBIZ insurance and risk professional.