September 26, 2009

What every business needs to know about the Red Flag Rules: Protect your business from potential liability

 By Hallie Hawkins JD and CITRMS

Are you a business owner?  Are you on a Board of a company?  Are you the in charge of Human Resources at a company?  Has your company complied with the Red Flag FACTA rules?
Are you even aware of what they are?  Are you aware if the company does not comply, there is potential liability?

The deadline to comply with the Red Flag Rules that were issued by the Federal Trade Commission is approaching once again.  This requires "creditors" and "financial institutions" to develop written plans to prevent and detect identity theft.  The new deadline is November 1, 2009.

One of the reasons for the delay has been the issue of which companies must comply.  Initially, it seemed to affect a narrow group of businesses.  Upon further interpretation, the need to comply has been broadened.

The Red Flag Rules certainly apply to financial institutions and they also apply to any “creditor.” Because of the confusion, the FTC has now provided a list of business entities that it BELIEVES the Red Flag Rules apply to.  It is as follows:

• Doctors, dentists, and other health care providers;
• Accountants and lawyers;
• Utilities;
• Telecommunications companies;
• Debt collectors;
• Retailers; and
• Employee benefit plans sponsoring flexible spending account arrangements when the arrangement utilizes a debit card.

A company is not off the hook if they do not fit into that list.   The actual determination will be based in part upon the risk of identity theft among the accounts the entity holds.

The formal obligation to comply with the Red Flag Rules applies to entities with covered accounts. The analysis of what a covered account is not necessary. The reality is that each company must look at how they actually function and the size and complexity of the business to determine what type of program should be put into place. Is there a reasonably foreseeable risk from identity theft in the way that the business in run?  A company that determines there is a high risk of identity theft of customer information should have a comprehensive program.  If it is determined that here is low risk, and then a simple written plan will do.  If your company already has general identity theft and fraud prevention policies in place review them and incorporate the Red Flag Rules into existing policy. 
It is not as difficult as it seems. 
1. Identify the Red Flags issues that arise in the daily running of the business.  This includes administration staff to outside sales.  The general areas of concern are;
• Alerts, notifications or warnings from a consumer reporting agency;
• Suspicious documents;
• Suspicious personal identifying information;
• Unusual use of, or suspicious activity related to, the covered account; and
• Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft.
2. Detail specific procedures that can be used to DETECT those red flags on a daily operating basis, including education of managers and employees.
3.  Detail specific procedure to prevent and stop any potential theft of critical informational including what should be done if critical information is stolen or lost.
4.  Create a WRITTEN plan and update it yearly.  Keep your staff- including newly hired staff- educated.  They are the first line of defense.  An upper level manager should be directly responsible for this area of policy.
The Federal Trade Commission Website has great resources including a way to walk through the analysis on line at 
Every company should do this.  Protect your company from potential liability.

© Hallie Hawkins, JD

1 comment:

Hallie said...

Please note: Deadline has changed to June of 2010.