The Red Flags Rule is a US federal regulation which requires companies to implement identity fraud programs for preventing and detecting Identity fraud. Although, many organizations have been dealing with identity fraud risks, others may not have been diligent in preventing identity fraud. The law recognizes that customers’’ personal information will continue to be stolen to commit fraud and therefore, all companies which may be target of identity fraud using stolen information must be prepared to identify, detect and mitigate identity fraud risks. I firmly believe that compliance costs for all affected companies can be drastically reduced if privacy and security risks are addressed from a central point of operation because most laws address many of the same risks in most covered industries and risk assessments as well as internal control testing and mitigation efforts can be managed centrally to satisfy many laws with similar requirements.
What is the Red Flags Rule?
In summary, companies which might be target of identity fraud sing stolen information must implement a program to prevent and detect identity theft. Such program should be updated as needed, and assigned a responsible person for risk assessments and control activities designed to achieve the control objective of preventing and detecting identity fraud.
According to the FTC, "the red flags are not a checklist, but rather, are examples that financial institutions and creditors may want to use as a starting point." These identity theft red flags fall into five categories:
• alerts, notifications, or
warnings from a consumer reporting agency;
• suspicious documents;
• suspicious personally identifying information, such as a suspicious address;
• unusual use of — or suspicious activity relating to — a covered account; and
• notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts.
Who must comply with the rule?
The Red Flags Rule applies to many companies which face identity fraud including "financial institutions" or "creditors" with "covered accounts". This is somewhat tricky because if a company faces identity fraud risks but is not considered a "creditor" or does not have "covered accounts", then the company is excluded from the law.
How to comply?
Assign the responsibility of the Red Flags Rule compliance to a qualified individual who should then develop and maintain a written program to identify identity theft risks, and implement and monitor related controls to detect identity fraud .
In addition, the identity theft program must a) include a response plan, b) address employee awareness training, c) oversee service providers, and d) be approved by the Board of Directors or owner of the company.
The identity theft programs must be in place immediately and the Federal Trade Commission can audit compliance with the Rule as they wish.
Who enforces the Red Flags Rule?
The Rule was issued and will be enforced by the Federal Trade Commission (FTC), the federal bank regulatory agencies, and the National Credit Union Administration (NCUA) as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003.
What are the compliance penalties?
Data breach incidents, or even an insider whistle blower, could inflict a covered company with monetary penalties and civil litigation which can increase the costs of the Red Flags Rule compliance even higher. There are three areas of potential penalties:
• Federal Trade Commission -
The FTC is authorized to take violations to federal courts and could enact
penalties of up to $2500 for each independent violation of the rule.
• State Enforcement - States are authorized to bring actions on behalf of their residents and may recover up to $1000 for each violation, and also recover attorney's fees.
• Civil Liability - Consumers may be entitled to recover actual identity theft damages sustained from a violation. Identity theft class action law suits will increase, potentially resulting in massive financial losses, ruined business reputation, and loss of clients.