The Red Flags Rule goes into effect Nov. 1. Please explain what the Red Flags Rule is and what types of businesses will be affected.
Red Flags Rule was designed as part of the Fair and Accurate Transactions (FACT) act of 2003, to protect consumers from identity theft. The rule requires financial institutions and creditors to develop and implement a written Identity Theft Prevention Program (ITPP) that identifies, and detects the relevant warning signs of identity theft, and addresses and mitigates possible violations of Identity theft crime.
The intent and purpose of developing an ITPP is to detect day-to-day warning signs (red flags) of identity theft and prevent and mitigate such crimes. The Red Flags Rule does not apply to any particular industry or sector, but applies to financial institutions and creditors who have “covered accounts.”
If you are considered a financial institution or a creditor, you must determine if you have one or more covered accounts. If you determine that you do have covered accounts, you must comply with the rule.
A “covered account” meets one or both of the following criteria:
• An account that a financial institution maintains for personal, family, or household purposes that is designed to permit multiple payments or transactions.
• Any account that a financial institution or creditor offers or maintains for which there is a reasonable risk of identity theft to the customer.
Either the board of directors or the appropriate managers must approve the first written ITP program, and the program must document who is responsible for updating and administering it.
The Federal Trade Commission says the rules include creditors. Is that creditors in the broad definition? Does that mean anybody who has advanced services to a company and is considered a creditor must implement red flag rules?
The FTC does have a fairly broad definition of a “creditor.” As they have defined — a creditor can be any institution or business that regularly provides or extends credit; regularly defers payment for goods and services; or provides goods and services and then bills the customer later. Under this definition, many institutions are considered creditors by the FTC.
Professional service organizations, health care institutions, utility companies, and telecommunications companies may fall under this definition, based on the FTC’s definition of creditor, and given the fact that Red Flags Rule does not apply to a particular industry or business sector.
The Red Flags Rule does not require all companies that advance goods or services to comply with the rule. If a financial institution or creditor does advance goods or service, the company must also determine if it has covered accounts. If so, the company is subject to the rule. Thus, a business extending credit to another business is not necessarily subject to the rule, based on the fact that its accounts are not necessarily a threat to the identities of an individual consumer or household, and does not place an individual consumer at risk of identity theft.
What are the implications of not complying with the Red Flag Rules? Is this more of a case where businesses need to be prepared not because of government intervention but for liability reasons?
It is unclear what monetary penalties the FTC can impose if a financial institution or creditor does not comply. There does not seem to be any monetary penalties that punish a non-compliant institution. There is currently no “FTC police” force to oversee this type of identity theft program. Having said this, the Red Flags Rule does demonstrate and identify good business practices that financial institutions and creditors should implement.
