The FTC has established that roughly nine million Americans are victims of identity theft each year.
To help reduce these numbers, the FTC developed a series of red flags to help your organization identify fraud attempts before criminals can succeed.
The FTC Red Flag Rules are the rules governing the protection of credit card information.
It is the responsibility of the company to be aware of when an unauthorized person is using their customer’s account.
For businesses with customers that have given them their credit card information, this is a requirement they must meet to avoid penalties from the FTC.
The FTC developed a strategy regulation that requires businesses to create and implement an identity theft program to help prevent and detect possible identity theft.
Under the Red Flags law, organizations are required to write up an identity theft prevention program that helps identify any relevant “red flags” that may indicate a consumer is a victim of identity theft.
The program is meant to help organizations identify suspicious patterns and take the appropriate steps to prevent the consequences of identity fraud for consumers.
Avoid common compliance risks by hiring a professional compliance auditing and risk assessment team to help create your company’s Red Flags policy.
A Red Flags program must include reasonable policies and procedures to identify red flags that may occur in company operations.
Financial institutions and creditors can use the following categories as red flag examples:
The financial institution needs to comply with the Red Flags Rule by doing the following:
The Red Flags Rule lists 26 identity theft flags that your institution should consider when creating an effective identity theft prevention and training program.
These flags aren’t just important for compliance reasons, but they help form the outline of the identity risk assessment.
Your institution should consider these 26 flags and choose the ones that apply specifically to your business for helping identify your program.
The FTC requires businesses defined as financial institutions or creditors to implement a written Red Flag Program to detect, prevent, and mitigate identity theft within covered accounts.
These consumer accounts can include:
The FTC requires these institutions and creditors to conduct periodic risk assessments to determine if they handle any accounts covered under the law.
The Red Flags Rule identities any of the following as entities that the law applies to:
Creditors are generally defined as entities that give advances or loans of money to consumers.
This does not include entities that give advances for expenses relating to a service provided by the institution.
Here are some criteria your institution can review to help understand if you fall under the Red Flag Rules requirements.
Does your institution regularly:
If your answer was “no” to all three questions, the rule does not apply to your institution and you may breathe easy.
If you answered “yes” to one or all of the questions, your institution should review the following:
Does your institution request, get, and use consumer reports regarding credit transactions?
Is information transferred to credit reporting agencies about credit transactions?
Are funds provided to someone that must repay them with funds, property, or collateral?
If you said no to all of these, the Red Flag Rules do not apply to your institution.
If you said yes, your business is considered a creditor and needs to abide by the law.
Covered accounts are generally accounts that a financial institution or creditor offers or maintains for personal, family, or household purposes.
It involves or is designed to permit multiple payments or transactions.
Also, accounts that pose a reasonable risk to consumers of identity theft are covered accounts.
Penalties for non-compliance with the Red Flags Rule are $3,500 in civil fines per violation.
Each infraction can also cost your institution up to $2,500 due to the FTC.
Completing a red flags risk assessment or creating a policy is not enough to follow the regulation.
It should be incorporated into daily business operations.
Having a strong program will help your institution ensure the safety of its customers against identity fraud.
Being vigilant and following the procedures listed above can help protect against these types of crimes.
If you are concerned about protecting your customers from identity theft and have identified that your institution falls under the umbrella of the rule, contact our experienced team at Radd, LLC to help bring you up to speed!