By Thomas Ahearn, ESR Staff Writer
With identity theft on the rise â€“ a recent survey found the number of identity theft and fraud victims in the U.S. increased 12 percent to affect over 11 million adults in 2009 â€“ the Federal Trade Commission (FTC) is requiring businesses that extend credit to customers to develop plans to detect and prevent identity theft beginning June 1, 2010.
The FTC delayed enforcement of this â€œRed Flagsâ€ Rule until June 1, 2010 at the request of Congress after the Rule was published under the Fair and Accurate Credit Transactions Act (FACTA) in which Congress directed the FTC to develop regulations for â€œfinancial institutionsâ€ and â€œcreditorsâ€ that have â€œcovered accountsâ€ to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities â€“ or â€œred flagsâ€ â€“ that may indicate identity theft.
According to a â€œFacts For Businessesâ€ page on the FTC website, the Red Flags Rule for implementing a written identity theft prevention program applies to â€œfinancial institutionsâ€ and â€œcreditorsâ€ with â€œcovered accounts,â€ and the FTC warns that these terms may apply to groups that might not typically use those words to describe themselves.
- The Red Flags Rule defines a â€œfinancial institutionâ€ as banks, savings and loan associations, mutual savings banks, credit unions, or any person, directly or indirectly, holding a transaction account belonging to a consumer.
- The Red Flags Rule definition of â€œcreditorâ€ is broad and includes businesses or organizations that regularly defer payment for goods or services or provide goods or services and bill customers later. Utility companies, health care providers, and telecommunications companies may fall within this definition. Creditors also include those who regularly grant loans, arrange for loans, or extend credit.
- The Red Flags Rule defines that term â€œcovered accountsâ€ as 1.) A consumer account primarily designed to permit multiple payments or transactions such as credit card accounts, mortgage/auto loans, and cell phone, utility, and checking and savings accounts; and 2.) Any account for which there is a foreseeable risk to customers or to the financial institution or creditor from identity theft.
Beginning June 1, the Red Flags Rule requires â€œfinancial institutionsâ€ and â€œcreditorsâ€ with â€œcovered accountsâ€ described above to develop, implement, and administer Identity Theft Prevention Programs that include four basic elements to address the threat of identity theft: Indentify, Detect, Prevent, and Update.
- An Identity Theft Prevention Program must include reasonable policies and procedures to identify the â€œred flagsâ€ of identity theft, the suspicious patterns and practices, or specific activities, that may indicate the possibility of identity theft.
- An Identity Theft Prevention Program must be designed to detect the red flags identified, and have procedures in place to help in the detection of red flags.
- An Identity Theft Prevention Program must spell out the appropriate response to take when red flags are detected to prevent and mitigate identity theft.
- An Identity Theft Prevention Program should go through a periodic update to reflect new risks from identity theft since this crime is an ever-changing threat.
In addition, the Red Flags Rule written Identity Theft Prevention Program designed to prevent, detect, and mitigate identity theft in connection with the opening of new accounts and the operation of existing ones must be appropriate to the size and complexity of the business or organization and the scope of its activities. A company with a higher risk of identity theft or a variety of covered accounts may need a more comprehensive Identity Theft Prevention Program.