People ask all the time, what is the Red Flags Rule and does it apply to me? First, I feel that is necessary to explain who needs to comply with the Red Flags Rule. The Federal Trade Commission states that “the Red Flags Rules apply to financial institutions and creditors with covered accounts. Under the Rules, a financial institution is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a “transaction account” belonging to a consumer. Transaction accounts include checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.”1
“A creditor is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Creditors include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies, health care providers, lawyers, accountants, and other professionals.2
“A covered account is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. A covered account is also an account for which there is a foreseeable risk of identity theft – for example, small business or sole proprietorship accounts.”2
Let me tell you more about what the Red Flags Rule is and what it tries to accomplish.
The Red Flags Rule was enacted in January 1, 2008 and is required to be implemented by November 1, 2009. The rule requires that your business program must have a four step process in place to detect identity theft that may come across your business. The four steps are:
1) Identify relevant patterns, practices, and specific forms of activity that are “red flags” signaling possible identity theft and incorporate those red flags into the Program
2) Detect red flags that have been incorporated into the Program
3) Respond appropriately to any red flags that are detected to prevent and mitigate identity theft
4) Ensure the Program is updated periodically to reflect changes in risks from identity theft.3
An important note: The Rule is designed to stop the propagation and effects of identity theft. It is not a data security program.
The Rule helps to minimize the effects of the ten million cases of identity theft that occur every year. Approximately 5.3% of all tax returns each year are fraudulent. These not only do they cause a loss of money to the IRS (which is also us, the general public), but they can damage the business that the tax return was done through. The average cost to a business that identity theft occurred in is well over $90,000! Not only is there a monetary lose, but think of your reputation if you unwittingly assist in an instance of ID Fraud.
References
1) http://www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm
2) http://www.ftc.gov/bcp/edu/microsites/redflagsrule/faqs.shtm
