Knowing your Red Flags – The FTC’s Red Flags Rule Goes into Effect May 1
The Federal Trade Commission (FTC) has promulgated its “Red Flags” rule to address identity theft under the Fair and Accurate Credit Transactions Act of 2003, which takes effect May 1, 2009.
This Rule requires certain businesses and organizations to implement a written Identity Theft Prevention Program to identify, detect, and respond to warning signs (“red flags”) of identity theft. For more information on this rule, click here for the FTC’s Website.
The FTC regulation defines a creditor as an entity that regularly extends, renews, continues credit or arranges for the extension of credit and that maintains “covered accounts.” A “covered account” is a consumer account designed to permit multiple payments or transactions, or any other account for which there is a reasonably foreseeable risk of identity theft. Taken together, this definition extends to a significant number of business organizations that may not have had this issue on their radar.
For example, the American Bar Association (an association for attorneys) has alerted state bars that the FTC plans to apply the rule to lawyers and law firms. Additionally, a medical provider may be considered a “creditor” if the provider does not regularly demand payment in full for services or supplies at the time of service. Thus, it is worth taking a second look at your business practices and the FTC’s rule.
If a business is covered by the FTC Red Flag Rule, it would be required to develop an identity theft program that contains “reasonable policies and procedures,” which include:
- Identify relevant patterns, practices, and specific forms of activity that are “red flags,” signaling possible identify theft;
- Detect these patterns, or “red flags;”
- Respond to those detected to prevent and mitigate identity theft; and
- Ensure the program is updated periodically to reflect changes in risks.