UPDATE: Previously schedule for enforcement on June 1, 2010, the FTC has delayed enforcement of the Red Flags Rule until December 31, 2010 or until Congress clarifies the scope of the entities subject to the Rule, whichever is earlier.
In an effort to reduce the number of identify thefts in this Country, the Federal Trade Commission (“FTC”) has implemented the “Red Flags Rule” which will affect nearly every business that maintains client accounts. This article contains guidelines regarding the applicability of the Red Flags Rule. The Chapar Firm would be pleased to assist you in determining whether the Red Flags Rule is applicable to your business.
The Red Flags Rule requires any entity that is a “creditor” or “financial institution” to implement a written policy that identifies potential identity theft through the detection of certain suspicious activities. Those suspicious activities are referred to as “red flags.” Not a creditor? Don’t be so sure. The FTC has defined creditor to include any business that allows customers or clients to defer payments or make payments over time for a good or service that they receive. Under the FTC definition of creditor, most businesses are subject to the Red Flags Rule.
The FTC requires each creditor to analyze the methods it uses to obtain and maintain its client's personal information and to draft a custom "Red Flags" policy for that business. The list of potential “red flags” that a business identifies should be as exhaustive as possible and should include those “red flags” typically found in the business’s industry and based upon the business’s conduct and history. Further, the business is required to update its Red Flags Policy periodically to address new and ever-evolving methods of identity theft that are used by criminals to illegally obtain personal information.
The policy must be customized to address the specific type of business and the manner in which a of each individual business and must include the manner in which the business will identify red flags, the procedures to detect the red flags, the steps the business will take upon detecting a red flag (such as notify the victim, close an account), and how and when the policy will be updated.
Each customized policy must take into account, among other things, how well the business knows its debtors, whether it is in an industry where identity theft is common, how many debtors the business has, and how the account is accessed by the debtor (face-to-face versus on-line, for example). A business that personally knows each debtor or works primarily in the customers’ homes or face-to-face is less like to encounter identity fraud than one which handles accounts on-line. The policy must be written so that it does not cause privacy concerns. For example, a business that asks for social security numbers from its clients but does not ever run a credit check may, as part of its Red Flags Policy, stop requiring its customers to provide their social security numbers.Upon completion of the customized Red Flags policy, the business must educate its employees on the policy.
Please contact one of our attorneys at 770/483-4115 to arrange a consultation to determine whether your business must comply with the Red Flags Rule.