What is the "Red Flags" Rule and Regulations?

 The regulation requires all creditors and covered entities to:

0. Identify relevant patterns, practices and activities that signal any possible risks of identity theft and incorporate those risks and vulnerabilities into provider policies and procedures to identity, prevent, or mitigate identity theft.
0. Create an effective program to detect these "red flags" in daily operation.
0. Respond appropriately to detect "red flags" to prevent and mitigate identity theft.
0. Ensure the program is updated as necessary to incorporate new issue, effective responses, and experience to make the plan most effective.
0. Gain Board of Director's approval.
0. Train all employees and implement company Identity Theft Prevention Program.
0. Verify proper vendor management controls.
0. Maintain proper and current documentation for all aspects of the Identity theft Prevention program.

 Who is Covered?

The Red Flags Rule applies to any financial institution or creditor holding a covered account.

Under the Red Flags rule, a financial institution is defined as a state or national bank, a state of federal savings and loan association, a mutual savings bank a state or federal credit union, or any other entity that holds a "transaction account" belonging to a customer.

A creditor is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit.  Examples of creditors include finance companies, automobile dealers, doctors, hospitals and others in the health care industry, mortgage brokers, utility companies, and telecommunications companies.  Non-profit and government entitites are also deemed to be creditors where they defer payment for goods or services.

A covered account is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions.  Examples of covered accounts include, but are not limited to, credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts.  A covered account is also defined to include an account for which there is a foreseeable risk of identity theft, such as small business or sole proprietorship accounts.

Given the broad definitions of "creditor" (any entity that defers payments for good or services) and "covered account" (any account involving multiple transactions), the Red flags rule will likely apply to many  businesses in the United States.  in fact, the FTC has estimated as many as 11 million creditors will have to comply with the Rule, and has stated that the Rule is also applicable to non-profit organizations, associations, government agencies and those in the health and medical industries as well.

Using Best Practices Ifida Known Enterprises develops customized, industry specific and environmentally-based policies, standards, and operational procedures that align with regulatory guidance for:

Red Flags audits and assessments

Identity theft risks and vulnerabilities

Database holes and breachable soft spots (electronic and non-electronic databases)

Data destruction and disposal

Written Red Flags Identity Theft Prevention Programs

Proper governance and program oversight