Red Flags Rule
- Not to be confused with Red Flag Act
The Red Flags Rule was created by the Federal Trade Commission (FTC), along with other government agencies such as the National Credit Union Administration (NCUA), to help preventidentity theft. The rule was passed in January 2008, and was to be in place by November 1, 2008. But due to push-backs by opposition, the FTC has delayed enforcement (five times); the current deadline is December 31, 2010.
How the Red Flags Rule was Created
The Red Flags Rule was based on section 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003. FACTA was put in place to help Identity Theft Prevention and Credit History Restoration, Improvements in Use of and Consumer Access to Credit Information, Enhancing the Accuracy of Consumer Report Information, Limiting the Use and Sharing of Medical Information in the Financial System, Financial Literacy and Education Improvement, Protecting Employee Misconduct Investigations, and Relation to State Laws.
Who This Rule Applies To
There are two different groups that this rule applies to: Financial Institutions and Creditors. Financial institution is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a “transaction account” belonging to a consumer. FACTA’s definition of “creditor” applies to any entity that regularly extends or renews credit – or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services
Just because you don’t think you are a creditor, does not mean that the rule doesn’t apply. For example, law firms and accounting firms that receive payment after a service is completed are considered creditors. Another example is if you are a utility company. You provide the utilities and receive payment for your services rendered at the end of the month, rendering you a creditor.
There are many different companies that this rule applies to: this list includes, but is not limited to finance companies, automobile dealers, mortgage brokers, utility companies, telecommunications companies, medical practices, hospitals, and law firms; or any other company that performs a service, then receives payment once the work is complete.
What the Red Flags Rule States
The Red Flags Rule sets out how certain businesses and organizations must develop, implement, and administer their Identity Theft Prevention Programs. Your Program must include four basic elements, which together create a framework to address the threat of identity theft.
The four basic elements to the program are:
1) Identify Relevant Red Flags
- Identify the red flags of identity theft you’re likely to come across in your business
2) Detect Red Flags
- Set up procedures to detect those red flags in your day-to-day operations
3) Prevent and Mitigate Identity Theft
- If you spot the red flags you’ve identified, respond appropriately to prevent and mitigate the harm done
4) Update your Program
- The risks of identity theft can change rapidly, so it’s important to keep your Program current and educate your staff
The Red Flags Rules provide all financial institutions and creditors the opportunity to design and implement a program that is appropriate to their size and complexity, as well as the nature of their operations.
The red flags fall into five categories:
- alerts, notifications, or warnings from a consumer reporting agency
- suspicious documents
- suspicious kk identifying information, such as a suspicious address
- unusual use of – or suspicious activity relating to – a covered account
- notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts
Ways that a business can comply
The FTC has a created a template for your business that can be populated to meet your companies needs. The template can be found on the FTC website. This template however is for small, very low risk businesses. There are also a number of other companies that will create a Program for your business to follow for a fee.
The Red Flag Rule as a cause of Identity Theft
As the Red Flag rule widely defines creditors, many businesses (such as utilities) }are not required to collect personal information (such as SSN and Driver’s License Numbers) that they do not need and have no use for. This policy is precisely contrary to the FTC’s advice to consumers that they should disclose their social security number to others only when absolutely necessary. This aspect of the Red Flag rule has the unintended consequences of increasing the number of business that hold consumers’ Social Security numbers thereby putting consumers at greater risk for identity theft through data theft.
- ^FAIR AND ACCURATE CREDIT TRANSACTIONS ACT OF 2003, Public, Law 108-159, 108th Congress, retrieved 2009-02-02
- ^ abcdefghttp://www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm
- ^ “Identity theft” means a fraud committed or attempted using the identifying information of another person without authority. See 16 C.F.R. § 603.2(a). “Identifying information” means “any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including any – (1) Name, Social Security number, date of birth, official State or government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number; (2) Unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation; (3) Unique electronic identification number, address, or routing code; or (4) Telecommunication identifying information or access device (as defined in 18 U.S.C. 1029(e)).” See 16 C.F.R. § 603.2(b).
- ^“Start or Install Service”.
- ^ ftc.gov. “Deter Minimize Your Risk”.