Identity theft 101: What is the Red Flags Rule?

From (7/20/09)
By Joe Campana

The Red Flags Rule is a U.S. federal law that requires most every business and organization to develop and implement an identity theft prevention program. The purpose of the identity theft prevention program is to authenticate the identity of customers to reduce incidences of identity theft. Authentication is required when a new financial or credit account is opened or when a change is requested on an existing covered account. The law covers consumer and business accounts.

The broad definitions of “covered account” and “creditor” include most every business and organization. If a business or organization accepts payment for products or services after they are delivered, they are a creditor under the law and must comply. Those that only accept payment prior to or upon delivery are not creditors regardless of how payment is accepted—cash, check or credit card.

Compliance is risk based, meaning that entities must implement a compliance program that is reasonable and appropriate to cover the risks the organization is likely to encounter. For most entities, especially small businesses, compliance is simple, straightforward and will prevent fraud and financial loss by assuring the entity is doing business with a legal person or legal business, and not with an identity thief.

The Red Flags Rule was enacted on January 1, 2008 under the Fair and Accurate Credit Transactions Act of 2003 (FACT Act), the first revision to the Fair Credit Reporting Act (FCRA). Compliance under the Red Flags Rule was effective on November 1, 2008 for those entities under the purview of any of five federal  banking and credit union regulators (OCC, Federal Reserve System, FDIC, OTS, NCUA). Compliance has been required on August 1, 2009 for those entities regulated by the Federal Trade Commission (FTC).

The law requires that entities regularly conduct a risk assessment to determine if they have covered accounts and to determine if they have any other accounts for which there may be a reasonably foreseeable risk to identity theft. If there are, a written identity theft prevention program is required to describe how the entity will authenticate customers that open new accounts, change existing accounts and access accounts electronically. The program also requires top-level management support and oversight as well as regular risk assessments and program review.

The law gets its name from methods commonly used to authenticate the identity of customers. For example, if new customers are authenticated by requesting picture identification and the picture and description of the person does not bear any resemblance to the person presenting the identification, this is a red flag.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s