Welcome to NTDA.
HOME JOIN CONTACT      Search   

HOME
CONVENTION
       2012 Hotel
       2011 Sponsors
DIRECTORY
       2012 Member Update Form
NEWS
SERVICES
       Annual Convention
       Scholarship 
       Dealer Surveys
       Advertising
       Discount Freight Program
       Credit Card Processing Program
       Free Downloads
       Print & E-newsletter
       Service Seminars
ABOUT NTDA
       History & Objectives
       Membership Composition
       Pressroom
       Board
          Past Presidents
       Staff
RESOURCES & LINKS
Login

Red Flags Rule Compliance Deadline Extended to June 1, 2010

The Federal Trade Commission (FTC) recently announced that it is extending the enforcement deadline for the Red Flags Rule that mandates identity theft prevention programs to June 1, 2010. This rule, in effect since Jan. 1, 2008, requires certain companies to spot and heed the “red flags” that often can be the telltale signs of identity theft. 

Despite this newly extended compliance deadline, it’s important for NTDA Dealer members to be as well-informed as possible to determine the specific applicability for their business operations.

Who Must Comply
Although every business or organization with an ongoing relationship with consumers should watch for the possibility of identity theft, the Red Flags Rule applies only to “financial institutions” and “creditors.” To determine if your business is covered by the Rule and required to develop a written identity theft program, you’ll need to answer two questions:

  • Is your business or organization either a “financial institution” or “creditor,” as those terms are defined in the Rule? 
  • If so, do you have “covered accounts”? 

A “financial institution” is a bank, savings and loan, credit union or other entity that holds a “transaction account” belonging to a consumer. A “transaction account” is an account that allows the owner to make payments or transfers. Examples include checking accounts, savings accounts that permit automatic transfers, and share draft accounts. Another example would be a brokerage account that allows consumers to write checks. 

Your business or organization is a “creditor” if you regularly:

  • Extend, renew or continue credit
  • Arrange for someone else to extend, renew or continue credit
  • Are the assignee of a creditor who is involved in the decision to extend, renew or continue credit. 

Note that simply accepting credit cards as a form of payment does not make you a creditor under the Rule. 

If you determine you’re a financial institution or a creditor, the next step is to see if you have “covered accounts,” which include:

  • An account used mostly for personal, family or household purposes that involves multiple payments or transactions. Examples include credit card accounts, mortgage loans, car loans, margin accounts, cell phone accounts, utility accounts and checking or savings accounts.
  • An account for which there is a foreseeable risk of identity theft, such as a small business or sole proprietorship account. In determining whether you have such an account, consider the risks associated with how the accounts may be opened or accessed (i.e., what type of interaction and documentation is required) as well as consider any experience with identity theft. 

If your company is a financial institution or creditor, but does not have any covered accounts, you don’t need an identity theft program. But if you have covered accounts, you must develop a written program that identifies and addresses the red flags that could indicate identity theft.

How to Comply
The Rule doesn’t mandate a specific type of program. Instead, it gives you flexibility to implement a program that best suits your business, as long as it meets the Rule’s requirements. 

When starting to develop your program, refer to the Guidelines issued with the Red Flags Rule (available at www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf on pages 63773–63774.) These Guidelines list the issues you must consider in developing and maintaining a program appropriate for your business. You should also draw on your own experience and knowledge about identity theft risks. 

There are four basic steps to designing a program to comply with the Rule:

  • Identify relevant red flags
  • Detect red flags
  • Prevent and mitigate identity theft
  • Update your program periodically. 

In addition, your program must spell out how it will be administered. It should be appropriate to the size and complexity of your company, as well as the nature of your operations.

Identify Warning Signs
Under the Rule, financial institutions and creditors with covered accounts must develop a written program to identify the warning signs of identity theft. The Guidelines describe the following categories of warning signs that your program must identify and address:

  • Alerts, notifications or warnings from a consumer reporting agency
  • Suspicious documents
  • Suspicious personally-identifying information
  • Suspicious activity relating to a covered account or
  • Notices from customers, victims of identity theft, law enforcement authorities or other entities about possible identity theft in connection with covered accounts. 

When identifying red flags, consider the nature of your business and the type of identity theft to which you might be vulnerable.

Detect Red Flags
Once you’ve identified the red flags relevant to your business, you must establish policies and procedures to detect them in your day-to-day operations. For example, you may spot red flags when you verify a consumer’s identity, authenticate customers, monitor transactions or verify requests for changes of address. Some red flags may seem harmless on their own, but can signal identity theft when paired with other events (e.g., a change of address coupled with the use of an address associated with fraudulent accounts).

Prevent and Mitigate Identity Theft
Your program must include appropriate responses to your red flags to prevent and mitigate identity theft. These responses could include monitoring an account, closing an account, not opening a new account, contacting the consumer when you spot a red flag, or a combination. Sometimes you may determine that no response is necessary. In other cases, certain events, such as a recent data breach or a “phishing” fraud that targeted your company, may raise the risk of identity theft and require specific preventive actions.

Plan to Update Your Program
Because identity theft threats change, your program must describe how you will update it to ensure that you are considering new risks and trends.

Learn More
For more information on the Red Flags Rule, visit www.ftc.gov/bcp/edu/microsites/redflags.  rule/more-about-red-flags.shtm

If you haven’t already done so, you are encouraged to contact your legal and accounting professionals to identify any specific compliance requirements for your business.

Source: Attorneys Tiffany George and Pavneet Singh, Division of Privacy and Identity Protection, Federal Trade Commission
(www.ftc.gov/bcp/edu/pubs/articles/art10.shtm)


Posted on Tuesday, November 17, 2009 (Archive on Wednesday, November 17, 2010)

Return