Are you complying with the Red Flags Rule?

The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs — or “red flags” — of identity theft in their day-to-day operations. Below are excerpts that pertain to businesses that probably are not aware they fall under the Red Flags Rule.

What types of businesses and organizations are covered by the Red Flags Rule?

    The Rule applies to both  “financial institutions” and “creditors.” It’s important to look closely at how the Rule defines those terms because they apply to groups that might not typically use those words to describe themselves. Whether your business or organization is a financial institution or creditor isn’t based on the line of work you’re in, but rather on whether your activities fall within the definitions in the law. The Red Flags Rule gives examples of businesses and organizations that probably are covered, but the list isn’t exhaustive. 

    Under the Rule, the definition of “creditor” is broad, and includes businesses or organizations that regularly provide goods or services first and allow customers to pay later. Examples of groups that may fall within this definition are utilities, health care providers, lawyers, accountants, and other professionals, and telecommunications companies. The definition also covers businesses or organizations that regularly grant loans, arrange for loans or the extension of credit, or make credit decisions. Examples include finance companies, mortgage brokers, and automobile dealers or retailers that offer financing or collect or process credit applications for third party lenders. In addition, the definition includes anyone who regularly participates in the decision to extend, renew, or continue credit, including setting the terms of credit. For example, a third-party debt collector who regularly renegotiates the terms of a debt would be a creditor under the Rule.

RED FLAG RULE FAQ

Do all creditors and financial institutions need to have a written Identity Theft Prevention Program?

    If you have covered accounts, you must develop and implement a written Program to detect and respond to the red flags of identity theft — taking into consideration the nature of your business and the risks you face — and update your Program periodically. If you don’t have any covered accounts, you don’t need a written Program, but you still need to conduct periodic risk assessments to determine if you’ve acquired any covered accounts through changes to your business.

Only creditors and financial institutions that have “covered accounts” need a Program. Once you’ve determined you’re a creditor or financial institution under the Red Flags Rule, the next step is to figure out if you have any covered accounts. The Rule defines that term as either: 1) consumer accounts designed to permit multiple payments or transactions, or 2) any other account that presents a reasonably foreseeable risk from identity theft.

Am I a creditor under the Rule if I extend credit to other businesses?

    Yes, you’re a creditor whether you have consumer or business customers.
    It depends. If you’re a creditor with only business-to-business accounts, you have to assess whether those accounts pose a reasonably foreseeable risk from identity theft. If they do, they’re “covered accounts” under the Rule.

Do I have covered accounts if I’m a business creditor?

Are you covered by the Red Flags Rule? Download the PDF Fighting Fraud with the Red Flags Rule: A How-To Guide for Business to:

By identifying red flags in advance, you’ll be better equipped to spot suspicious patterns when they arise and take steps to prevent a red flag from escalating into a costly episode of identity theft. Take advantage of other resources on this site to educate your employees and colleagues about complying with the Red Flags Rule.

Fighting Fraud with the Red Flags Rule: A How-To Guide for Businesses PDF All About Red Flags Video Do-It-Yourself Template for Businesses at Low Risk PDF

Red Flag Program Clarification Act of 2010 final bill

Text of the final Red Flag Program Clarification Act of 2010 bill sent to President Obama for signature. The purpose is to amend the Fair Credit Reporting Act with respect to the applicability of identity theft guidelines, primarily to reduce the burden on small businesses.

H.R.6420
Latest Title: Red Flag Program Clarification Act of 2010
Sponsor: Rep Adler, John H. [NJ-3] (introduced 11/17/2010)      Cosponsors (2)
Related Bills: S.3987
Latest Major Action: 11/17/2010 Referred to House committee. Status: Referred to the House Committee on Financial Services.

To amend the Fair Credit Reporting Act with respect to the applicability of identity theft guidelines to creditors.

    Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the `Red Flag Program Clarification Act of 2010′.

SEC. 2. SCOPE OF CERTAIN CREDITOR REQUIREMENTS.

    (a) Amendment to FCRA- Section 615(e) of the Fair Credit Reporting Act (15 U.S.C. 1681m(e)) is amended by adding at the end the following:
    • `(4) DEFINITIONS- As used in this subsection, the term `creditor’–
      • `(A) means a creditor, as defined in section 702 of the Equal Credit Opportunity Act (15 U.S.C. 1691a), that regularly and in the ordinary course of business–
        • `(i) obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction;
        • `(ii) furnishes information to consumer reporting agencies, as described in section 623, in connection with a credit transaction; or
        • `(iii) advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person;
      • `(B) does not include a creditor described in subparagraph (A)(iii) that advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person; and
      • `(C) includes any other type of creditor, as defined in that section 702, as the agency described in paragraph (1) having authority over that creditor may determine appropriate by rule promulgated by that agency, based on a determination that such creditor offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft.’.
    (b) Effective Date- The amendment made by this section shall become effective on the date of enactment of this Act.

What is the Red Flags Rule?

Are you complying with the Red Flags Rule? What is it and who does it apply to? The Red Flags Rule sets out how certain businesses and organizations must develop, implement, and administer their Identity Theft Prevention Programs. Your Program must include four basic  elements, which together create a framework to address the threat of identity theft.

First, your Program must include reasonable policies and procedures to identify the “red flags” of identity theft you may run across in the day-to-day operation of your business. Red flags are suspicious patterns or practices, or specifi c activities, that indicate the possibility of identity theft. For example, if a customer has to provide some form of identification to open an account with your company, an ID that looks like it might be fake would be a “red flag” for your business.

Second, your Program must be designed to detect the red flags you’ve identified. For example, if you’ve identified fake IDs as a red flag, you must have procedures in place to detect possible fake, forged, or altered identification.

Third, your Program must spell out appropriate actions you’ll take when you detect red flags.

Fourth, because identity theft is an ever-changing threat, you must address how you will re-evaluate your Program periodically to reflect new risks from this crime. Just getting something down on paper won’t reduce the risk of identity theft. That’s why the Red Flags Rule sets out requirements on how to incorporate your Program into the daily operations of
your business. Your board of directors (or a committee of the board) has to approve your first written Program. If you don’t have a board, approval is up to an appropriate senior-level employee. Your Program must state who’s responsible for implementing and
administering it eff ectively. Because your employees have a role to play in preventing and detecting identity theft, your Program also must include appropriate staff  training. If you outsource or subcontract parts of your operations that would be covered by the Rule, your Program also must address how you’ll monitor your contractors’ compliance.

The Red Flags Rule gives you the flexibility to design a Program appropriate for your company – its size and potential risks of identity theft. While some businesses and organizations may need a comprehensive Program that addresses a high risk of identity theft in a complex organization, others with a low risk of identity theft could
have a more streamlined Program.

Related Article: Red Flags Rule Video.

Who must comply with the Red Flags Rule?

The Red Flags Rule applies to “financial institutions” and  “creditors.” The Rule requires you to conduct a periodic risk assessment to determine if you have “covered accounts.” You need
to implement a written program only if you have covered accounts.  It’s important to look closely at how the Rule defines “financial institution” and “creditor” because the terms apply to groups that might not typically use those words to describe themselves. For example, many non-profit groups and government agencies are “creditors” under the Rule. The determination of whether your business or organization is covered by the Red Flags Rule isn’t based on your industry or sector, but rather on whether your activities fall  within the relevant definitions.

Financial Institution

The Red Flags Rule defines a “financial institution” as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other person that, directly or indirectly, holds a transaction account belonging to a consumer. Banks, federally chartered credit unions, and savings and loan associations come under the jurisdiction of the federal bank regulatory agencies and/or the National Credit Union Administration. Check with those agencies for guidance tailored to those businesses. The remaining financial institutions come under the jurisdiction of the FTC. Examples of financial institutions under the FTC’s jurisdiction are state-chartered credit unions, mutual funds that offer accounts with check-writing privileges, or other institutions that offer accounts where the consumer can make payments or transfers to third parties.

Creditor The definition of “creditor” is broad and includes businesses or organizations that regularly defer payment for goods or services or provide goods or services and bill customers later.

Utility companies, health care providers, and telecommunications companies are among the entities that may fall within this definition depending on how and when they collect payment for
their services.. The determination of whether your business or organization is covered by the Red Flags Rule isn’t based on your industry or sector, but rather on whether your activities fall within the relevant definitions.

The Rule also defines a “creditor” as one who regularly grants loans, arranges for loans or the extension of credit, or makes credit decisions. Examples include finance companies, mortgage
brokers, real estate agents, automobile dealers, and retailers that offer financing or help consumers get financing from others, say, by processing credit applications. In addition, the definition includes anyone who regularly participates in the decision to extend, renew, or
continue credit, including setting the terms of credit – for example, a third-party debt collector who regularly renegotiates the terms of a debt. If you regularly extend credit to other businesses, you also are covered under this definition.
Covered Accounts

Once you’ve concluded that your business or organization is a financial institution or creditor, you must determine if you have any “covered accounts,” as the Red Flags Rule defines that term. To make that determination, you’ll need to look at both existing accounts and new ones. Two categories of accounts are covered.

The first kind is a consumer account you offer your customers that’s primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions. Examples are credit card accounts, mortgage loans, automobile loans, margin
accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts.

The second kind of “covered account” is “any other account that a financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks. Examples include small business accounts, sole proprietorship accounts, or single transaction consumer accounts that may be vulnerable to identity theft. Unlike consumer accounts designed to permit multiple payments or transactions – they always are “covered accounts” under the Rule – other types of accounts are “covered accounts” only if the risk of identity theft is reasonably foreseeable.

In determining if accounts are covered under the second category, consider how they’re opened and accessed. For example, there may be a reasonably foreseeable risk of identity theft in connection with business accounts that can be accessed remotely – such as through the Internet or by telephone. Your risk analysis must consider any actual incidents of identity theft involving accounts like these.

This is an excellent video to learn all about the Red Flags Rule.

3D Merchant Services solutions help businesses comply with both FACTA, Red Flags Rule and PCI Compliance.

Thune-Begich Legislation Clarifying Red Flags Rule Passes House

After passing both chambers of Congress, Red Flags Rule bill headed to president’s desk for signature before January 1, 2011.

December 7th, 2010 – WASHINGTON, DC – U.S. Sens. John Thune (R-S.D.) and Mark Begich (D-Alaska), today praised the House of Representative’s swift passage of their bipartisan bill, the Red Flag Program Clarification Act of 2010, which clarifies a burdensome regulation by the Federal Trade Commission (FTC) that would otherwise require small businesses to undertake costly and unnecessary measures to prevent identity theft. The Thune-Begich bill passed the full House of Representatives today by voice vote. The Thune-Begich bill passed the full Senate by Unanimous Consent on November 30, 2010 and will now move to President Obama’s desk to be signed into law.

“I commend my colleagues in the House of Representatives for wasting no time in passing the Thune-Begich legislation clarifying the Red Flags Rule to protect our nation’s small businesses from unnecessary and burdensome federal regulation,” said Thune. “Instead of worrying about being punished under the FTC rule that was set to take effect on January 1st, small businesses can now breathe a sigh of relief.”

“Businesses in Alaska will be better served with this approach. The bill targets the very heart of identity theft, the use of consumer credit reports instead of lumping all small businesses as having the same risk of identity theft,” Begich said. “This bill was carefully crafted, and I am proud to work with my colleagues on this issue.”

The FTC issued the Red Flags regulations under the Fair and Accurate Credit Transition Act of 2003, which requires the establishment of guidelines for financial institutions and creditors regarding identity theft. If implemented on January 1, 2011, as planned, the FTC’s overreaching definition of a creditor would place a significant burden on our nation’s small businesses. Recognizing this, the FTC has delayed implementation of the rule multiple times to allow for Congressional clarification.

###

This bill already passed the Senate in November.

Thune-Begich Legislation Clarifying Red Flags Rule Passes Senate

November 30th, 2010 – Washington, DC – U.S. Sens. John Thune (R-S.D.) and Mark Begich (D-Alaska), today praised the passage of their bipartisan bill, the Red Flag Program Clarification Act of 2010, which clarifies a burdensome regulation by the Federal Trade Commission (FTC) that would otherwise require small businesses to undertake costly and unnecessary measures to prevent identity theft. The Thune-Begich bill passed the full Senate by Unanimous Consent and will now move to the House of Representatives for consideration.

“Small businesses in South Dakota and across our country are the engines of job growth for America,” said Thune. “Forcing them to comply with misdirected and costly federal regulations included in the FTC Red Flags Rule will hurt their ability to create jobs and continue growing our economy. I’m pleased that the Senate has passed this important piece of legislation to ensure that small businesses aren’t unnecessarily impacted by these regulations and I look to the House of Representatives to pass this bill without delay.”

“It is very important to consider the needs of small businesses, such as medical providers, when implementing consumer protections,” Begich said. “Our goal is to streamline requirements for businesses to ensure the proper implementation without onerous costs. I thank my colleagues for supporting this bill.”

The FTC issued the Red Flags regulation under the Fair and Accurate Credit Transition Act of 2003, which requires the establishment of guidelines for financial institutions and creditors regarding identity theft. If implemented on January 1, 2011, as planned, the FTC’s overreaching definition of a creditor would place a significant burden on our nation’s small businesses. Recognizing this, the FTC has delayed implementation of the rule multiple times to allow for Congressional clarification.

###

Throughout the internet, sites are touting this as Congress Exempts Physicians From Identity Theft ‘Red Flags’ Rule. Clearly this is not a physicians only rule.