Red Flags Rule

Your Subtitle text

Red Flags Rule

Wiley Rein, LLP - White Paper - Your Growing Exposure for Identity Theft Risks

Quick Links:
FACTA - FCRA
Identity Theft Red Flag Rules
Gramm, Leach, Bliley

NEWS UPDATE!!! FTC Will Grant Six-Month Delay of Enforcement of 'Red Flag Rules for implementing an Identity Theft Program & to oversee service providers, vendors, and 3party contractors. BUT!! - "Today’s announcement and the release of an Enforcement Policy Statement do not affect other federal agencies’ enforcement of the original November 1, 2008 deadline for institutions subject to their oversight to be in compliance."

Read More Here

Excerpts from a recent Bank Info Security Article -

"IDTheft Red Flag Rules: How to Help Your Business Customers Comply"
September 8, 2008 - Linda McGlasson - Managing Editor

These covered entities, no matter how small, need to design and implement an identity theft prevention program, George adds.....

"Entities need to realize this applies to anyone who defers payment for a good or service," George says. "Even mom and pop stores that offer monthly credit to customers would fall under this rule.

Any interaction where a consumer is not paying up front would make the business a creditor,

"So in the healthcare context, even where a consumer offers insurance (that would normally cover the bill), if the patient is still ultimately responsible for medical fees not covered by insurance, then that hospital or doctor's office would be considered a creditor," George explains.

Where non-profit and government entities defer payment for goods or services, they, too, are considered creditors.

(If you would like a copy of the full article, ask for a copy to be brought to the appointment)_____________________________________________________________

"Identity Theft Red Flag Rules" - http://www.FTC.gov/os/2007/10/r611019redflagsfrn.pdf

Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate Credit Transactions Act of 2003

Background:
The issuance of the final rule of the Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate Credit Transactions Act of 2003 rule implements sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003, an amendment to the Fair Credit Reporting Act. The purpose of the Rule is to attempt to minimize incidents of Identity Theft and fraud in the opening and maintenance of covered accounts by financial institutions and creditors, as well as addressing issues of address discrepancies by users of consumer reports (credit reports and specialty consumer reports) and debit or credit card issuers.

The final rules requires each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement a written Identity Theft Prevention Program for combating identity theft in connection with the opening of new accounts and the maintenance of existing accounts.

It is important to note that, as with the Disposal Rule and Gramm-Leach-Bliley, the Red Flags Rule does NOT automatically apply to every business. Under the final rule, only those financial institutions and creditors that offer or maintain "covered accounts" must develop and implement a written Program. For example, a restaurant that accepts credit cards as a means of one-time payment in full by a customer who purchases a meal is not impacted; whereas, a utility company that opens and maintains accounts for its customers is impacted.

Summary of Key Requirements:
Red Flag Rules recently became effective January 2008, and compliance has been extended to August 1, 2009.

The Federal Trade Commission (FTC) and 5 federal agencies have strengthened the FACTA Law with some recorded Identity Theft Red Flag Rules.

- On Page 10, the responsibility of having an Identity Theft Mitigation Program, Training, and
    an Information Security Officer in place falls on the Board of Directors

- On Page 15, it further states that if a "Board of Directors" does not exist, Responsibility falls
    on "a designated employee at the level of Senior Management".

- On Page 21, "Identity Theft" is defined as "a fraud Committed or Attempted using the personal
    identifying information (PII) of another person without authority."

- On Page 22, it designates that the loss of "one single piece" of Personal Identifiable Information (PII)
    constitutes an "Identity Theft" and places the "at fault company" under penalty provisions
    of the FACT Act of 2005 (FACTA).

The Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft of its customers. In addition, the final rules require users of consumer reports (e.g. - credit reports and specialty consumer reports) to develop reasonable policies and procedures as well.

If you are a service provider of a "financial institution' or "creditor" it is important to understand that you must also implement reasonable policies and procedures for detecting, preventing, and mitigating identity theft of your customers, which in some cases are the employees of the "financial institutions" or "creditors."