Home > business basics, Business Fraud, fraud prevention, Identity Theft > Red Flag Rule, to prevent Identity theft

Red Flag Rule, to prevent Identity theft


As I have written about in the past the FTC began enforcement of its Red Flag Rules on June 1st. This Rule has been in the works for years, and has been talked about for probably twice as long. The Red Flag Rules, which states that certain businesses and creditors must help fight identity theft as well as create an identity theft prevention plan. This applies to a very broad class of businesses: those defined as “financial institutions” and those that extend any type of credit to their customers.

In other words, if you don’t receive cash the moment you deliver your product or service to your customer, your business most likely falls under the umbrella of the Red Flags Rule. If you do any billing after the fact (i.e., accounts receivable), you are considered a creditor, and therefore in the group of companies governed by Red Flags.

This includes:

  • Any Business that Extends Credit
  • All Banks
  • Most Brokerage Firms
  • Credit Card Companies
  • Mortgage Lenders
  • Non Traditional lenders (utilities, dealerships, health care providers)

Building an Identity Theft Prevention Plan

According to the FTC, the identity theft prevention plan must consist of four main parts:

  1. Identification: The plan needs to provide a process to identify patterns, activities or transactions (i.e. red flags, hence the name) that appear to be leading to identity theft.
  2. Detection: The plan needs to specifically call out processes and procedures that will be used to detect the previously defined red flags.
  3. Response: The plan needs to include a process of responding to red flags as they are detected.
  4. Revision: The plan should specify the process the organization will use to periodically update sections 1-3 as the threat landscape changes

The plan must also be written for each business, so copying the plan for a similar business  is not acceptable by the FTC Rules. The plan must cover how your organization will ensure that any company to which you are outsourcing to will be compliant. Every organization’s senior employees and board of directors must approve the initial plan and train the appropriate employees.

The FTC has also identified five main categories that an organization’s Red Flags might fall under. They are:

  1. Alerts, notifications, or warnings from a consumer reporting agency.
  2. Suspicious documents.
  3. Suspicious personally identifying information (PII).
  4. Suspicious activity relating to a covered account.
  5. Notices from customers, victims of identity theft, law enforcement authorities, or other entities about possible identity theft in connection with covered accounts.

As with any new plan or program there will be bumps in the road. The FTC won’t be actively auditing organizations, but it will be investigating on the basis of reported issues, and the costs of being found non-compliant can be staggering.

In the meantime, you should get started on designing and implementing your identity theft prevention plan.

If you need assistance with writing your Plan, or need help with preventing fraud in your business in general, please feel free to contact me for help with presentations to your company or even just helping your staff to prevent fraud from outside your company.

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: