Final Deadline to Implement Identity Theft Red Flags Rules for FTC-Regulated Entities is November 1, 2009
The new deadline to implement the Federal Trade Commission (FTC) rules on Identity Theft Red Flags is November 1, 2009. (To access the FTC’s FAQs on the Red Flags Rules, click here. To access the text of the Red Flags Rule, click here. And for the FTC’s “How To” guide for businesses, click here).
These rules have a surprisingly wide application to businesses, many of whom don’t think of themselves as “creditors.” Under the rules, any “creditor” with “covered accounts” must develop and implement a Red Flags Program. Since these terms are broadly defined, the FTC estimated that over 11 million entities subject to its jurisdiction would qualify as “creditors” under the rules. A s a result, you may very well be a creditor under the rules.
A “creditor” includes any entity that allows customers to defer payment for goods and services (including through the common practice of billing customers after goods or services are provided), even if no finance charges or installment payments are involved. Such entities include, for example, health care providers, mortgage brokers, utility companies and many merchants who wouldn’t ordinarily think of themselves as “creditors.”
If you are a creditor under the Red Flags Rules, you must next determine if you have any “covered accounts.” “Covered accounts” are not limited to formal deposit or credit accounts. Instead, any continuing relationship under which a customer can obtain goods or services that are primarily for personal, family or household purposes and that involves, or is designed to permit, multiple payments or transactions is a “covered account.” In addition, a “covered account” is any account (including a business account) for which there is a reasonably foreseeable risk to you or your customers from identity theft. To determine if there is a foreseeable risk from identity theft, consider the methods used to open the account, the methods used to access the account and your previous experience with identity theft.
The Red Flags Program
If you are a creditor who does not have any covered accounts, you do not need to develop a Red Flags Program. However, the rules require that you periodically reevaluate whether you are offering or maintaining covered accounts. If you ever determine that you offer or maintain covered accounts, then you will need to develop and implement a Red Flags Program.
If you are a creditor with covered accounts, you will need develop and implement a written Red Flags Program. The program must be designed to identify, detect and respond to patterns, practices or specific activities that could indicate identity theft. There is no one-size-fits-all program and each creditor needs to tailor its program to its own circumstances. If you determine that you are a low-risk entity, then your program can be simple and streamlined.
If you have questions about the Red Flags Rules or would like a copy, please let us know. You need to act now to determine if you are a creditor and to comply with the Red Flags Rules.
Entry filed under: Uncategorized.