The
KDDK Advantage - September/October 2009
New Rules for Preventing
Identity Theft
Impose Obligations on Businesses
The Federal Trade Commission
(FTC) and other federal regulatory agencies issued regulations
in 2007 – known as the “Red Flags Rules” – requiring many
businesses and organizations to implement a written Identity
Theft Prevention Program to detect the warning signs –
or “red flags” – of identity theft. By identifying red
flags, businesses should be in a better position to prevent
customers trying to use someone else’s identity to get
products and services. The Red Flags Rules apply to financial
institutions such as banks and credit unions as well as
any business that regularly extends, renews, or continues
credit or arranges for the extension, renewal, or continuation
of credit for its customers. In other words, any business
that regularly allows its customers to purchase goods
or services and then bills them later is a “creditor”
that is subject to the Red Flags Rules. Because these
new rules apply to many businesses that were not previously
regulated by the agencies, the FTC has delayed enforcement
of the Red Flags Rules until November 1, 2009, to give
businesses sufficient time to review the guidance provided
by the agencies and develop and implement written Identity
Theft Prevention Programs.
Under the Red Flags Rules,
financial institutions and creditors must develop a written
program that identifies and detects the appropriate warning
signs of identity theft, which include, for example, unusual
account activity, fraud alerts on a consumer report, or
attempted use of suspicious account application documents.
The written program must also describe appropriate responses
that would prevent and mitigate the identity theft. The
Red Flags program must be managed by the Board of Directors
or senior management employees of the financial institution
or creditor, must include appropriate training for employees
that deal with customer accounts, and must provide for
oversight of any service providers used by the financial
institution or creditor.
Thankfully, the federal
agencies have not imposed a “one size fits all” program
that businesses must comply with, but rather have issued
step-by-step guidelines to allow each business to design
and implement their own unique program suited for their
individual size and complexity. The first step is to identify
the relevant red flags your business might come across
that signal that a potential customer isn’t who he or
she claims to be. The second step is to determine how
your business will detect the red flags you’ve identified.
The third step is to decide how your business will respond
to any red flags that appear. The last step is documenting
how you will administer your Red Flags program by having
the written policy approved by the Board of Directors
or senior management, naming a senior employee to administer
the program, developing written training material for
your employees and implementing a system to update the
program on a regular basis. Establishing an effective
Identity Theft Prevention
Program will not only help your business avoid being the
subject of fraud, but it will also help you gather valuable
information about your customers that may help in collecting
past due accounts.
<<
KDDK Announces Firm's Upcoming Leadership Change
< Indiana Supreme Court
Rejects "Read-and-Heed" Presumption
Condemnation Rules Ever
Changing> |
