|
Information Security & Privacy Regulatory Compliance:
The Red Flags Rules
If you are a
financial institution or a creditor, you should already know about
the Red Flags Rules and how it affects your organization.
Even if you are not a financial institution, if you don't
know what Red Flags Rules are, you will want to keep on reading.
Many institutions
which would not normally be affected or regulated by the Federal
Trade Commission (FTC) are in fact now regulated by the FTC as it
relates to identity theft, based on the Red Flags Rules.
If you are deemed to be a creditor, you will be affected by
the Red Flags Rules. The
penalty for being out of compliance with these rules is ten times
more damaging than HIPAA, thus this is serious business.
The good news is
that ‘accepting credit cards as a form of payment does not in and of
itself make an entity a creditor.’
That activity does make you vulnerable to PCI DSS which is
another regulation that has been discussed in a different article.
For the purposes of
the Red Flags Rules, a creditor includes “finance companies,
automobile dealers, mortgage brokers, utility companies, and
telecommunications companies. Where non-profit and government
entities defer payment for goods or services, they too are to be
considered creditors.”
Let’s see if your
business is a creditor.
Your business or
organization is a “creditor” if you regularly:
 |
extend, renew, or continue credit;
|
|
arrange for someone else to extend, renew, or
continue credit; or
|
|
are
the assignee of a creditor who is involved in the
decision to extend, renew, or continue credit.
|
If you are a
creditor and you have a special type of account called a “covered”
account under the rule, then you are subject to the Red Flags Rules.
If your business is
neither a financial institution nor a creditor, congratulations you
are done with this article and can stop reading.
Let’s see if your
business has “covered” accounts.
Do you open,
maintain or report on accounts for your customers that are used
mostly for personal, family, or household purposes and that involve
multiple payments or transactions?
Examples of this type of account
(covered accounts) are:
|
Credit card accounts
|
|
Mortgage loans
|
|
Automobile loans
|
|
Margin accounts
|
|
Cell phone accounts
|
|
Utility accounts
|
|
Checking accounts
|
|
Saving accounts
|
These types of
accounts are considered “covered accounts” and fall under the Red
Flags Rules.
In addition, any
account “for which there is a foreseeable risk of identity theft”
such as a sole proprietorship account is subject to the Red Flags
Rules.
If you think that
any of your business activities involve servicing or monitoring
these types of accounts, you are regulated by the Red Flags Rules.
Okay, I’m
subject to yet another regulation, so how do I address it?
The good news is
that your response can be based on your organization’s size and
activities. The bad news
is that the Red Flags program that you need to implement is
described in the November 9th 2007 Federal Register.
Fortunately, you’re reading this article which will hopefully
help you to understand the Rules and become compliant.
Wait, wait,
wait -- this sounds like too much work! What if I just ignore the
Rule?
No problem, the
penalty for each violation of the Red Flags Rule is $2500.
Moving on...
To address the Red
Flags Rules, you are going to need a written policy and procedure to
identify identity theft within your customers’ accounts.
The ‘red flags’ in the Red Flags Rules are activities that,
taken separately or as a whole, could lead one to suspect that
identity fraud is taking place on an account your business manages
or monitors.
Go to
http://www.bankersonline.com/regs/222/redflagexamples.pdf for a
clear example of Red Flags Rules (Special thanks to Bankers Online).
You may also go to the source
http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf
Page 63774
supplement A to Appendix A (Special thanks to the Federal
Government).
Okay, let us
get to the main points you will need to comply with:
| You will need a written
identity theft policies and procedures program.
|
| In this program, you
should identify in writing the Red Flags that are
relevant to your organization.
|
| You may use your
existing polices and programs (for example your
information security program) but you will need to
create an identity theft section.
|
| You will need to create
procedures within your organization that detect the
Red Flags you have identified as relevant. |
| You will need a written
procedure on how to respond to the detection of Red
Flags. |
| You will need to update
the program as your company changes and as alerts
come to you from credit report agencies, the FTC, or
other agencies. |
| The Board of Directors
must approve and oversee the identity theft program,
and they are ultimately responsible for its
appropriate use.
They may of course delegate the activities,
but they may not transfer the responsibility for the
success of the program to anyone else. |
| There are some legal
requirements for some institutions concerning the
reporting of suspicious activity or the granting of
credit when fraud is detected.
You will need to see your legal counsel for
more detail.
(I know I hate it too, but even if I were a lawyer,
I couldn’t give you legal advice in this article.) |
Here is a link
http://www.lmnc.org/media/document/1/mmua_redflags.doc with an
example of an identity theft program. Yours will need to be tailored
to your specific organization’s activities.
While the Red Flags
Rules can be complex, hopefully this article has provided you with a
good overview of the types of activities you will need to engage in
to become compliant with these Rules.
You should also have a good understanding of the risks you
take by not complying with this new FTC regulation.
Feel free to contact us if you have questions regarding
becoming compliant with these new and necessary
rules for safer commerce.
By John Barchie,
Senior
Information Security
Governance Fellow
John Barchie Biography
Back to Top
Information Request Form
|
