New Red Flags Rule to Prevent Identity Theft

by Jim Marasco

The Federal Trade Commission has reported that identity theft affects more than 9 million Americans annually.

In response to this epidemic, the government has acted to curtail this fraudulent activity. Implementation of the widely publicized “Red Flags Rule” becomes effective Nov. 1, 2009. Will your organization be affected?

Background

The Red Flags Rule requires certain businesses to implement a written identity theft prevention program designed to detect the warning signs of identity theft, attempt to prevent it and minimize its effects. The rule is being administered primarily by the FTC.

Who Must Comply

The determination of whether your organization falls subject to the Red Flags Rule isn’t necessarily based on your particular industry, but rather on whether your activities fall within the following definitions.

The rule officially applies to “financial institutions” and “creditors.”

Financial institutions are defined as banks, savings and loans or credit unions. Some of these institutions may fall under the purview of the federal bank regulatory agencies or the National Credit Union Administration, while others may be governed by the FTC.

“Creditors” include organizations that regularly defer payment for goods or services or provide goods or services and invoice customers later. Examples include utility and telecommunication companies, healthcare providers and anyone who regularly grants loans, arranges for credit or makes credit decisions. This would include finance companies, mortgage brokers, real estate agents, auto dealers and retailers that grant credit.

Once it’s determined that you fall under the rule, you must determine whether you have any “covered accounts.” The FTC identifies two categories of covered accounts.

The first is a consumer account that’s offered primarily for personal, family or household purposes and is designed to permit multiple payments or transactions (i.e., credit card, auto loans, cell phone accounts, etc.).

The second involves any other account that a financial institution or creditor offers or maintains for which there is a foreseeable risk to customers from identity theft (i.e., small business accounts, single transaction consumer accounts, etc.).

If the rule applies to your organization, but you don’t administer any “covered accounts,” a written program does not have to be created. However, a periodic risk assessment should be conducted to assist in determining whether you’ve acquired covered accounts through changes to the business.

The Required Elements

Four basic elements are needed for your program.

1. Include reasonable policies and procedures to identify the “red flags” of identity theft that could occur in your business.

2. Design it to detect the red flags you’ve identified.

3. Spell out the appropriate actions you’ll take once you’ve detected red flags to prevent or mitigate any harm that has been done.

4. Address how your program will be periodically re-evaluated to reflect new and evolving risks.

Your first written program has to be approved by your board of directors or senior-level management (in lieu of a board). It should identify those responsible for its implementation, administration and training.

The Red Flags Rule gives the organization the flexibility to design a program appropriate for its size and potential risks of identity theft.

Some complex organizations may require a more comprehensive program versus those that have little exposure to identity theft. The person ultimately responsible for your program should report to the board or management at least annually to evaluate and update its progress.

Adoption and Enforcement

Thus far, the implementation date of the Red Flags Rule has been officially delayed on three occasions from Jan. 1, 2008, when it first went into effect.

Failure to comply with the rule can lead to civil penalties, such as monetary sanctions and enforcement action by the FTC.

However, outside of maintaining documentation of your program, publicity regarding external enforcement monitoring by the FTC has been silent at this time.

Desired Objectives

By having certain businesses adopt this program, it’s the intention of the government to create a greater awareness toward protecting consumers’ confidential information. Hopefully, by removing the outlet for identity thieves to perpetrate their crimes, instances of identity theft will decrease. Call us if you think you’re subject to the Red Flags Rule.

James I. Marasco, CPA/CFF, CFE, CIA
Jim is a partner at EFP Rotenberg. He brings more than 18 years of public accounting and auditing experience. He is a full-time management consultant and travels extensively throughout the country while leading StoneBridge Business Partners (an EFP Rotenberg affiliate company). Read more about Jim . Article republished with the permission of CPAmerica.