Are you complying with the Red Flags Rule?
The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs — or “red flags” — of identity theft in their day-to-day operations. By identifying red flags in advance, businesses will be better equipped to spot suspicious patterns that may arise — and take steps to prevent a red flag from escalating into a costly episode of identity theft. The Program must be documented and updated periodically. Updates must reflect changes in risks to customers or to the safety and soundness of the financial institution or creditor from identity theft. The Program must also have the approval of the Board of Directors or a designated Senior Management employee. The Board of Directors shall also have supervision of the implementation of the Program as well as training of the staff and oversight of service providers.
Who Must Comply with the Red Flags Rule?
The Rule requires “financial institutions” and “creditors” that hold consumer accounts designed to permit multiple payments or transactions — or any other account for which there is a reasonably foreseeable risk of identity theft — to develop and implement an Identity Theft Prevention Program for new and existing accounts. The definition of “financial institution” includes:
- all banks, savings associations, and credit unions, regardless of whether they hold a transaction account belonging to a consumer; and
- anyone else who directly or indirectly holds a transaction account belonging to a consumer.
A change in the law on December 18, 2010 amended the the definition of “creditor,” and limits the circumstances under which creditors are covered. The new law covers creditors who regularly, and in the ordinary course of business, meet one of three general criteria. They must:
- obtain or use consumer reports in connection with a credit transaction;
- furnish information to consumer reporting agencies in connection with a credit transaction; or
- advance funds to — or on behalf of — someone, except for funds for expenses incidental to a service provided by the creditor to that person.
While many financial institutions and creditors have put processes in place to deal with identify theft, the overwhelming majority have not. The Red Flag Rule is now mandating that such processes be formalized into an Identity Theft Prevention Program to detect, prevent and mitigate identify theft for covered accounts.
A holistic approach to information security can help to integrate compliance efforts with business objectives to efficiently focus resources on IT governance and threat management. Working as either a full service consultant, or as an adjunct to your in-house business & security team TBG will execute our compliance readiness process to insure that your business meets or exceeds their compliance requirements. TBG Security Compliance Services practice delivers a full range of assessment, remediation, implementation, certification and education services to help organizations of all sizes establish and improve compliance.
For more information on how TBG Security can help your organization reach Red Flag compliance contact our Compliance Practice Manager or call us directly at 877.233.6651 ext 704.