Home
News
ENLARGE
According to the Federal Trade Commission (FTC), as many as nine million Americans have their identities stolen each year. Identity theft hurts consumers who suffer monetary loss and damage to their credit, but it also hurts businesses left with unpaid bills racked up by scam artists. In an effort to fight identity theft, the FTC passed a law known as the “Red Flags Rule,” which requires many businesses to implement identity theft programs.
The Red Flags Rule applies only to “financial institutions” and “creditors” who deal with “covered accounts.” Financial institutions, not surprisingly, means banks, credit unions, and similar lenders. The term “creditors” for purposes of the rule includes organizations that regularly provide goods or services and bill customers later, and persons who regularly grant or arrange for loans or make credit decisions. This includes most utility companies, health care providers, telecommunications companies, finance companies, brokerage companies, mortgage brokers, real estate brokers, automobile dealers, debt collectors, homeowners' associations, and retailers that offer financing. Many of these people may not realize they are subject to the rule.
There are two types of covered accounts under the rule. One is accounts used mostly for personal, family, or household purposes that involve multiple payments or transactions. Examples include credit card accounts, mortgage loans, car loans, margin accounts, cell phone accounts, utility accounts, and checking and savings accounts. The other is accounts for which there is a foreseeable risk of identity theft such as small business accounts.
The Red Flags Rule applies only to “financial institutions” and “creditors” who deal with “covered accounts.” Financial institutions, not surprisingly, means banks, credit unions, and similar lenders. The term “creditors” for purposes of the rule includes organizations that regularly provide goods or services and bill customers later, and persons who regularly grant or arrange for loans or make credit decisions. This includes most utility companies, health care providers, telecommunications companies, finance companies, brokerage companies, mortgage brokers, real estate brokers, automobile dealers, debt collectors, homeowners' associations, and retailers that offer financing. Many of these people may not realize they are subject to the rule.
There are two types of covered accounts under the rule. One is accounts used mostly for personal, family, or household purposes that involve multiple payments or transactions. Examples include credit card accounts, mortgage loans, car loans, margin accounts, cell phone accounts, utility accounts, and checking and savings accounts. The other is accounts for which there is a foreseeable risk of identity theft such as small business accounts.
How to comply
Parties subject to the rule must develop a red flags program designed to identify, detect, prevent and mitigate identity theft in connection with the opening of new accounts and the operation of existing ones. The FTC promulgated useful materials for developing a red flags program at www.ftc.gov/redflagsrule. The rule doesn't prescribe specifically what a red flags program must look like. Instead, it allows flexibility to implement a program that is appropriate for the size and complexity of the business involved and the nature and scope of its activities. Step One: Identify potential red flags
A red flags program should first identify relevant red flags. For example, a driver's license that doesn't look like the person that provides it would be a red flag in most cases.
The FTC materials provide many examples of similar red flags under the following categories: (a) alerts from a credit reporting company; (b) suspicious documents; (c) suspicious personal identifying information; (d) suspicious account activity; or (e) notice from other sources.
Step Two: Detect red flags
Once appropriate red flags are identified, the program must specify how the business intends to detect these red flags. This may involve comparing information provided by a customer with information obtained from other sources. It may also involve the use of multi-factor authentication techniques such as requiring a PIN and password.
Step Three: Prevent and mitigate identity theft
The next step in any red flags program is developing a policy for how to respond when a red flag is spotted. The FTC provides numerous examples of potentially appropriate responses, such as (a) contacting the customer; (b) closing or freezing an existing account; (c) not opening a new account; or (d) notifying law enforcement.
Step Four: Administering the program
A red flags program must be constantly tested and revised to make sure that it is effective in addressing new risks and trends. The FTC requires the program to be approved by a board of directors or senior employee of the company. The program should include staff training as appropriate.
The FTC does not routinely audit businesses for compliance with the Red Flags Rule, but it will investigate complaints from consumers and has the power to impose fines. The best reason to comply with the Red Flags Rule is that it's just plain good business to help fight identity theft.
Noah Klug is principal of The Klug Law Firm, LLC, a general law practice in Summit County emphasizing real estate and business law. He may be reached at (970)468-4953 or Noah@TheKlugLawFirm.com.
