Is your Organization Required to be Compliant with the Red Flags Rule?

by Jim Marasco, CPA, CIA, CFE

Fraud Matters, Summer 2011

Is your organization required to be compliant with the Red Flags Rule?

After numerous postponements dating back three years, the long-awaited Red Flags Rule finally became effective Jan. 1, 2011. During this process, slight revisions have been made that impact the parties involved. It’s important to know whether your organization is subject to these rules.

Background

The Red Flags Rule requires certain businesses to implement a written identity theft prevention program designed to detect the warning signs of identity theft, attempt to prevent it and minimize its effects. The rule is being administered primarily by the Federal Trade Commission (FTC).

Who must comply

The determination of whether your organization falls subject to the Red Flags Rule isn’t necessarily based on your particular industry but, rather, on whether your activities fall within the following definitions. The rule officially applies to “financial institutions” and “creditors.” Financial institutions are defined as banks, savings and loans or credit unions. Some of these institutions may fall under the purview of the federal bank regulatory agencies and/or the National Credit Union Administration, while others may be governed by the FTC.

Creditors include organizations that regularly defer payment for goods or services or provide goods or services and invoice customers later. Examples include utility and telecommunication companies, healthcare providers and anyone who regularly grants loans, arranges for credit or makes credit decisions. This includes finance companies, mortgage brokers, real estate agents, auto dealers and retailers that grant credit.

The FTC’s broad interpretation could also include nonprofits and government agencies. However, on March 4, 2011, a ruling by a D.C. circuit court seems to have exempted professionals such as accountants, lawyers and healthcare providers who regularly defer payments for goods or services.

Once it is determined that you fall under the rule, you must determine whether you have any “covered accounts.” The FTC identifies two categories of covered accounts. The first is a consumer account that is offered primarily for personal, family or household purposes and is designed to permit multiple payments or transactions (i.e., credit card, auto loans, cell phone accounts, etc.). The second involves any other account that a financial institution or creditor offers or maintains for which there is a foreseeable risk to customers from identity theft (i.e., small business accounts, single transaction consumer accounts, etc.).

Red Flag Program Clarification Act of 2010

The Red Flag Program Clarification Act of 2010 more specificallydefined a creditor as one whom, during the ordinary course of business:

  • Obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction
  • Furnishes information to consumer reporting agencies in connection with a credit transaction
  • Advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person

If the rule applies to your organization, but you don’t administer any “covered accounts,” a written program does not have to be created. However, a periodic risk assessment should be conducted to assist in determining whether you’ve acquired covered accounts through changes to the business.

Required elements

Your program should include four basic elements.

  1. Include reasonable policies and procedures to identify the“red flags” of identity theft that could occur in your business.
  2. Design it to detect the red flags you’ve identified.
  3. Spell out the appropriate actions you’ll take once you’ve detected red flags to prevent/mitigate any harm that’s been done.
  4. Address how your program will be periodically re-evaluatedto reflect new and evolving risks.

Your first written program has to be approved by your board of directors or senior-level management (in lieu of a board). It should identify those responsible for its implementation, administration and training. The Red Flags Rule gives the organization the flexibility to design a program appropriate for its size and potential risks of identity theft.

Some complex organizations may require a more comprehensive program versus those that have little exposure to identity theft. The person ultimately responsible for your program should report to the board or management at least annually to evaluate and update the program’s progress.

Adoption and enforcement

Programs are required to be in effect as of Jan. 1, 2011. Although there are no criminal penalties for failing to comply with the rule, violators can be subject to civil penalties, such as monetary sanctions and enforcement action by the FTC.

Desired objectives

By having certain businesses adopt this program, it’s the intention of the government to create a greater awareness toward protecting consumers’ confidential information. By removing the outlet for identity thieves to perpetrate their crimes, instances of identity theft will decrease.

Your CPA firm can help if you believe you’re subject to the Red Flags Rule and need assistance in meeting your compliance obligations. – James Marasco, CPA, CIA, CFE

Jim Marasco is the Director of StoneBridge Business Partners. Read more about Jim. Article reprinted with permission from The Rochester Business Journal.