As many as 9 million Americans have their identities stolen each year. Are some of those thefts going to happen because your company was lax at identifying red flags? The “Red Flags Rule,” which recently went into effect, requires many businesses and organizations to implement a written Identity Theft Prevention Program.
Although the Federal Trade Commission’s (FTC) Red Flags Rule doesn’t require a program from noncovered entities, it’s a good idea for any organization to evaluate identity theft risk and take measures to prevent it.
What Is the Red Flags Rule?
The Red Flags Rule requires covered entities (see below) to develop programs that include four basic elements:
Reasonable policies and procedures to identify the “red flags” of identity theft you may run across in the day-to-day operation of your business. (Red flags are suspicious patterns or practices, or specific activities, that indicate the possibility of identity theft.)- Methods to detect the red flags you’ve identified.
- Appropriate actions when you detect red flags.
- System for re-evaluating your program periodically to reflect new risks, as identity theft is an ever-changing threat.
Who Must Comply with the Red Flags Rule?
The Red Flags Rule applies directly to “financial institutions” and to “creditors.” The Rule requires those entities to conduct a periodic risk assessment to determine if they have “covered accounts.” If they do, they must implement a written program.
“Covered accounts" are typically consumer accounts you offer your customers that are primarily for personal, family, or household purposes that involve or are designed to permit multiple payments or transactions. Examples are credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts.
What’s really scary about identity theft? The #1 source of ID theft isn’t stolen wallets or hacked department store computers—it’s the workplace. Join us September 9 for an important BLR webinar, ID Theft in the Workplace: How to Protect Your Employees’ Information and Reduce Your Legal Risks.
Simply accepting credit cards as a form of payment does not make you a “creditor” under the Red Flags Rule.
Don’t Have Any Covered Accounts?
If you don’t have covered accounts, you don’t need to have a written program. But you must still conduct a periodic risk assessment to determine if you’ve acquired any covered accounts through changes to your business structure, processes, or organization.
How to Comply
If you’re a creditor or financial institution with covered accounts, you must develop and implement a written Identity Theft Prevention Program. The program must be designed to prevent, detect, and mitigate identity theft in connection with the opening of new accounts and the operation of existing ones.
Your program must be appropriate to the size and complexity of your business or organization and the nature and scope of its activities.
FTC recommends a four-step process for developing a program.
- Step One—Identify relevant red flags.
- Step Two—Detect red flags.
- Step Three—Prevent and mitigate identity theft.
- Step Four—Update your program.
Let’s look at these steps in a little more detail.
Step One—Identify Relevant Red Flags
“Red flags” are potential patterns, practices, or specific activities indicating the possibility of identity theft. FTC identifies five categories of common red flags:
1. Alerts, Notifications, and Warnings from a Credit Reporting Company
Some examples of alerts and notifications you might receive:
- Fraud or active duty alert on a credit report
- Notice of credit freeze in response to a request for a credit report
- Credit report indicating a pattern of activity inconsistent with the person’s history
- Unusual number of recently established credit relationships
2. Suspicious Documents
Sometimes, paperwork has the telltale signs of identity theft. Here are examples of red flags involving documents:
- Identification that looks altered or forged.
- The person presenting the identification doesn’t look like the photo or match the physical description.
- Information on the identification that differs from what the person presenting the identification is telling you or doesn’t match other information, like a signature card or recent check.
Hmmm, should have seen that coming–that is, going, as in private identity information. Join us September 9 for an important webinar on preventing identity theft in the workplace.
3. Suspicious Personal Identifying Information
Here are some red flags involving identifying information:
- Inconsistencies with what else you know—for example, an address that doesn’t match the credit report, the use of a Social Security number that’s listed on the Social Security Administration Death Master File
- Address or telephone number that’s been used by many other people opening accounts
- Person who can’t provide authenticating information—for example, a person who can’t answer a challenge question
In tomorrow’s Advisor, we’ll find some more red flags, and announce a new BLR webinar that’s designed to answer all your specific questions about identity theft and the workplace.
Other Recent Articles on HR Policies and Procedures
Welch: ‘Work/Life Balance Is a Terrible Term’
Jack Welch: ‘HR, Get Out of the Picnic Business’
Write Fed-Friendly Job Descriptions
When Legal Behavior Boosts Employers’ Costs
While the description of a creditor is accurate, it may not go far enough to give readers a sense of how broadly the term can apply, such as small businesses and personal services. For example, an tax accountant that allows a customer to pay over time, or a doctor or lawyer who allows an individual to make multiple payments after the services are received may be a ‘creditor’. The good news is that in those cases the written program need not be very complex or detailed – and probably would include the common sense clues that you may be dealing with someone using another’s identity.