After extending the deadline for the Red Flags Rule compliance one year, November 1, 2009 is quickly approaching. Does the Red Flags Rule apply to you? Are you ready? Here is a brief overview of the rule requirements, courtesy the offices of John D. Freeman, CPA.
1. The Red Flags Rule applies to financial institutions and creditors as defined by the FTC who deal with Covered accounts.
Definitions:
Financial Institution:
Creditor: any entity that regularly extends, renews, or continues credit, any entity that regularly arranges for the extension renewal or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew or continue credit
Covered Accounts: There are two categories of Covered Accounts: 1. Accounts for personal purposes (i.e. mortgage loans; cell phone, credit card or utility accounts), 2. Accounts 'for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.'
Red Flags: Red flags are different for every company. An example of a red flag, for instance, if your company checks photo Ids, an obvious red flag of identity theft is an inconsistency between the person's appearance and the information (height, eye color) on the ID. Another example is if you report information to the IRS, like interest received from a homeowner, and the IRS sends you a notification that the social security number does not match up with the homeowners personal information (name, address, etc.).
2. Identify your business' risk level.
Companies with a higher risk level to take different actions regarding identity theft than a company with low risk.
3. Design and implement an Identity Theft Prevention Program (ITPP).
Step 1: Identify relevant red flags
Step 2: Detect red flags
Determine procedure for identifying red flags, like training staff to look at IDs to see if person's appearance is consistent.
Step 3: Respond to red flags
Ask for another form of ID.
Step 4: Administer and follow up on ITPP
Document your program including describing how you will train your staff, how you will supervise your service providers, and how you will update your program. You will also need the approval of your Board of Directors or a senior manager and to designate senior management to implement your ITPP.
You should be aware that non-compliance to the Red Flags Rule opens companies to a liability risk up to but not limited to an FTC investigation and lawsuits by the harmed party whose identity was stolen. So make sure you find out if the Red Flags Rule applies to you.
www.JohnFreemanCPA.com
