By now everyone's heard of identity theft, and heard of the efforts by various public and private entities to combat the threat. Today we're going to give you an overview of one effort by the Federal Trade Commission ("FTC") that your company needs to be aware of and closely review. It could have a substantial impact on your operations if your entity is under FTC jurisdiction. It's called the Red Flags Rule (the "Rule").
The Rule requires many entities to implement a written identity theft prevention program to detect the warning signs of the crime of identity theft. The idea is that by developing such a written program entities will be able to spot the warning signs (such as patterns, practices, or specific activities) or "red flags" in their operations that could indicate identity theft is occurring.
Entities subject to the Rule are set forth in the Rule itself. But as noted by the FTC, "as a practical matter, the Rule applies to you if your provide products or services and bill customers later."
The original compliance date was November 1, 2008. But that date has been pushed back a number of times to the current date of November 1, 2009--which will be here before you know it.
The Rule has a noble goal of protecting consumers from identity theft. But the Rule has also left entities scrambling to try and figure out whether they're required to comply with the Rule. Even those who have actually read the text of the Rule (which typically is very dry and full of legalese) have had trouble figuring out if they're subject to the Rule. The FTC's extensions in the compliance date are related to its desire to help entities figure out if they're subject to the Rule.
Whether your entity is subject to the Rule depends on whether your entity fits the definitions of "financial institutions" and "creditors" set forth in the Rule.
Your own view of the type of business you're in does not matter much. It's the language of the Rule that determines whether your entity qualifies as a financial institution or a creditor.
While you might not think of yourself as fitting into one of these legal definitions, you may be surprised to find out that you do according to the Rule--especially if you regularly bill or invoice customers after you provide them with services.
You are going to need to review the definitions with your legal team to determine whether your subject to the jurisdiction of the FTC, whether your entity fits into one the definitions, and thus are required to comply with the Rule.
You should start your own research by visiting the FTC's helpful Rule website. You and your attorney should start with a review of the text of the Rule. The FTC's website also offers a wealth of other information for your review such as a short Frequently Asked Questions section, a compliance
booklet, and other information. Once you're up to speed then you can conduct your own assessment.
If you do find that you're an entity is subject to the Rule, then you need to conduct periodic risk assessments if you are handling any "covered accounts" as such accounts are defined by the Rule. If you are, then you need to create and implement your identity theft program that complies with the Rule prior to the new compliance date of November 1, 2009.
Your program must include a risk assessment and identify and detect warning signs related to potential identity theft occurrences. Such warning signs include, but not are limited to, suspicious applications, unusual account activity, and fraud alerts on consumer reports. Your program also has to set forth responses that would prevent and mitigate the crime of identity theft and detail your ongoing plan to update your program.
Programs should include reasonable policies and procedures to:
- Identify the red flags you're likely to come across;
- Detect red flag activities;
- Respond to red flag activities that have been detected;
- Educate your employees; and
- Update your program periodically to incorporate new risks.
The Rule also requires approval from your Board (or the appropriate Board committee), annual reports to your Board or senior management, at least annual review of the red flags and your program, your oversight of service providers who handle your covered accounts, and appropriate training.
To get you started, the FTC has provided a list of twenty-six different types of red flags. For more information on these red flags, please visit the FTC's website. There's also a wealth of resources available online from other sources.
If you find yourself subject to the Rule then you're going to need to devote substantial time and resources in coming up with your plan. Get your team together, and be sure to involve people from every department that will play a key role in monitoring and identifying identity theft. Pull in accounting, legal, IT, customer service, and any other department that could play a role in developing your plan.
There's also a wealth of resources available online from other sources such as various trade organizations.
If you don't find yourself subject to the Rule don't think you can ignore the crime of identity theft. It's out there and likely only to get worse. Come up with some sort of monitoring and response plan to fight the threat to protect yourself should the worst occur.