Red Flags Rules
Simply put, the Red Flags rules are another set of regulatory requirements aimed at financial institutions and creditors with covered accounts to prevent and detect Identity theft. Although, most financial institutions have been dealing with identity theft risks for some time, other creditors such as car dealerships and smaller businesses were left alone while the identity theft epidemic impacted increasing number of people year after year. Most businesses that did not place priority on protecting the personal information of their clients did so mainly because there was no reason, regulatory or otherwise, to place identity theft on top of their agenda and also because they faced no direct financial consequences. The cost of identity fraud is usually absorbed by the primary creditors and companies which face no material consequence can care less about the financial losses of another due to their own security negligence, until they face other related losses such as from lawsuits, but comparatively speaking, identity theft lawsuits have been very few when compared to the number of high profile corporate security incidents because such identity theft lawsuits are hard to win when legal requirements and baselines do not exist. The Red Flags rules change the game plan and no recent law has had such an impact as the Red Flags law will have on covered companies; small and large, public and private. For a while, we’ve had privacy laws such as HIPAA which was directed toward healthcare and health insurance companies, or GLBA which was aimed at just the financial institutions, but now with the Red Flags rules, all covered companies can be scrutinized for not protecting the personal information of their customers. In my opinion, the Red Flags are not the end of the regulatory requirements addressing identity theft. New laws will continue to be introduced and the existing ones will be expanded and merged to address other industries and companies not yet covered by current laws, improve requirements, and increase the penalties. Larger companies in particular with decentralized and uncoordinated departments better consolidate their identity protection and compliance efforts to prepare for the upcoming audits and lawsuits. The various privacy and identity theft laws such as HIPAA, GLBA and Red Flags are issued and enforced by various agencies and their enforcement will sure hit covered companies from every angle soon if not currently underway and these companies better get ready for redundant, time consuming, and costly audits.
I firmly believe that compliance costs for all affected companies can be drastically reduced if privacy and security risks are addressed from a central point of operation because most laws address many of the same risks in most covered industries and risk assessments as well as internal control testing and mitigation efforts can be managed centrally to satisfy many laws with similar requirements.
What are the Red Flag rules?
In a very simple and concise language, affected companies must implement a program to prevent and detect identity theft. Such program should be updated as needed, and assigned responsibility for risk assessments and control activities designed to achieve the control objective of preventing and detecting identity theft.
According to the FTC, "the red flags are not a checklist, but rather, are examples that financial institutions and creditors may want to use as a starting point." They fall into five categories:
• alerts, notifications, or warnings from a consumer reporting agency;
• suspicious documents;
• suspicious personally identifying information, such as a suspicious address;
• unusual use of — or suspicious activity relating to — a covered account; and
• notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts.
Who must comply with the rules?
The Red Flags rules apply to "financial institutions" or "creditors" who have "covered accounts". This is somewhat tricky because if you collect personal information of your clients as part of your business but are not a "creditor" or do not have "covered accounts", then you’re off the hook. Although the terms “financial institution” and "creditor" are self defined, a "covered account" is a "transaction account" that allows the account holder to make payments or transfers to and from the account such as the brokerage, checking and savings accounts.
How to comply?
Assign the responsibility of the Red Flags compliance to a qualified individual who should then develop and maintain a written program to identify identity theft risks, and implement and monitor related controls to prevent and detect warning signs of identity theft also known as the Red Flags Rules.
In addition, the identity theft program must a) include a response plan, b) address employee awareness training, c) oversee service providers, and d) be approved by the Board of Directors or a senior employee or owner of the company.
Timing?
The identity theft programs must be in place immediately and the Federal Trade Commission can audit compliance with the rules as they wish.
Who enforces the Red Flags rules?
The Red Flags rules were issued and will be enforced by the Federal Trade Commission (FTC), the federal bank regulatory agencies, and the National Credit Union Administration (NCUA) as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003.
What are the Red Flags rules penalties?
Data breach incidents, or even an insider whistle blower, could inflict a covered company with monetary penalties and civil litigation which can increase the costs of the Red Flags Rule compliance even higher. There are three areas of potential penalties:
• Federal Trade Commission - The FTC is authorized to take violations to federal courts and could enact penalties of up to $2500 for each independent violation of the rule.
• State Enforcement - States are authorized to bring actions on behalf of their residents and may recover up to $1000 for each violation, and also recover attorney's fees.
• Civil Liability - Consumers may be entitled to recover actual identity theft damages sustained from a violation. Identity theft class action law suits will increase, potentially resulting in massive financial losses, ruined business reputation, and loss of clients.
Resources
For more information, Download a copy of the Red Flags rules.