Just Writing Policies Does Not Make Your Practice
Red Flags Compliant...

Many businesses have been under the impression that just writing a few office policies will make them compliant with the FTC's Red Flags Regulations.  This is not the case and the following guidelines provided for the Red Flags Rule clearly state the requirements for fully implementing the mandatory Identity Theft Protection program.  The Red Flags Rule was designed and written to give each business and industry the flexibility to design a program appropriate for its size and potential vulnerabilities and risks of identity theft.

The key is to make sure you do your due diligence in identifying the "red flags" in all of your operations and for each individual location where your business operates.  Be aware that there are some businesses out there offering "one size fits all" red flags programs and leaving your top executives and board members accountable to unnecessary professional and personal risks and fines.

1^st  Your business must conduct an audit and assessment to identify the "red flags" that will put your business and clients at risk and make them vulnerable to identity theft.  This includes looking at all of the areas of your day-to-day operations.  You must consider each step of your business that a consumer goes through in doing business with your company; from opening a "covered account" through your responsibility in destroying and discarding all of their data once the account and all important information is no longer required to be held by your company.

 2^nd  Your program must be designed to detect the "red flags" you've identified during your audit and assessment process.  Consider reviewing all of your current policies and procedures in handling PII.

3^rd  Your Program must spell out the appropriate and necessary actions each member of your staff will take when you detect the "red flags".  You must identify a Red Flags compliance Officer for your business.

This individual will be responsible for ensuring that all areas of your Red flags Program are in place and adhered to.  You must also address how you will monitor the compliance of your outside contractors, vendors and outsourced services.

4^th  Once you have gone through steps 1- 3 and have your written Red Flags Identity theft Prevention Program completed, you must then have either your Board of Directors or an executive staff member approve your written program.  After ENRON and other various scandals, government officials learned that it is important to be able to "point-the-finger" of accountability at key executives within an organization.  Thus, this is a highly sensitive and key element within your company's compliance with the Red Flags rule as it is the component that the FTC will use to hold individuals within your company accountable for any identity theft, database breach or compromise in consumer or employee information and data.

5^th  Once you have your written Program approved by your Board of Directors or Senior Executive staff member, [for a small business ... this may be the owner(s) who approve the written Program] you must then provide the appropriate training for all employees, on-site contractors, and all new staff (as they come on board) dealing with any portion of your company's Identity Theft Prevention Program.

6^th  Now that your Red Flags Rule identity Theft Prevention program is identified, written, approved and implemented within your business, you must address how your Program will be monitored and maintained to address the constant changing environment, tricks, tactics, and techniques of identity thieves and fraudsters.  This final element of the Red Flags rule mandates that you keep up with the changing environment of identity theft as thieves conjure up new ways to steal and use the PII of consumers and businesses every day.

As these elements of compliance of the Red Flags Rule indicate, the United States congress has identified the growing epidemic of identity theft and is holding businesses, organizations, associations and agencies accountable to Stopping Identity Theft where it is most likely to originate - at the starting point of commerce.