In 2007, the Federal Trade Commission (FTC) issued a set of regulations, known as the “Red Flags Rule,” which require covered organizations to implement a written identity theft prevention program. Although the FTC has repeatedly postponed enforcement, the compliance deadline is now set for June 1.

Casting a wide net
Contrary to what some believe, the Red Flags Rule doesn’t apply only to financial institutions. It also applies to “creditors” — a category that encompasses organizations that regularly extend, renew or continue credit (law firms, however, are exempt from the Rule). Determining whether a company must comply is a two-step process:

1. Does it meet the definition of “financial institution” or “creditor?” Financial institutions include banks, savings and loans, credit unions, mutual funds that offer check-writing privileges and other institutions that permit consumers to make payments or transfers to third parties.

“Creditor” includes organizations that regularly defer payment for goods or services or provide goods or services and bill customers later. The Rule, therefore, might apply to utility companies, health care providers and telecommunications companies, to name a few examples.

Creditors also include those that regularly grant loans, arrange for loans or extensions of credit, or make credit decisions, such as finance companies, mortgage brokers, real estate agents, automobile dealers and third-party debt collectors.

2. If the company is a financial institution or creditor, does it have any “covered accounts.” There are two types of consumer accounts. The first is one that’s primarily for personal, family or household purposes and permits multiple payments or transactions — such as mortgages, auto loans and credit card accounts. The second is any other account for which there’s a reasonably foreseeable risk for identity theft. Examples include small business, sole proprietorship and single transaction consumer accounts.

Building a program
Companies that meet both of the above conditions are subject to the Rule, and must develop, implement and administer a written identity theft prevention program.It must include reasonable policies and procedures to identify the red flags of identity theft and be designed to detect those red flags. It also must spell out appropriate actions to take when red flags are detected. And it must establish procedures for periodically re-evaluating and addressing new risks.
The specific details of an organization’s program depend on its size and risk profile. Companies with a relatively low risk of identity theft, for example, don’t need as comprehensive a program as high-risk companies.

No time to waste
If the Red Flags Rule applies to your clients and they aren’t prepared for it, enlist the help of a financial expert as soon as possible. Failure to comply with Rule requirements could result in a penalty of up to $2,500 for a “knowing violation.”

Take a Proactive Position on Risk Management

Securities Fraud: How to Survive a Perfect Storm

Distress Signals: Valuing Troubled Companies

Is Your Client Covered by the Red Flags Rule?