News & Resources

FTC Red Flag Rules Explained

Aug 20, 2010 Brian Bradley

A lot of people have heard about the Red Flag Rules and know that businesses need to make changes to comply with them, but understanding the process is imperative for an organization or company to efficiently implement those rules.

The Federal Trade Commission (FTC) and other federally financed regulatory agencies published rules and guidelines for regulating the fraudulent attempt to use private information without authorization. Basically, they require businesses to develop and implement a program that can detect, prevent and mitigate the potential risk of identity theft through suspicious activities, so-called "red flags." The Red Flag Rules don't require companies to adopt any particular procedure, giving them the flexibility to design an Identity Theft Prevention Program appropriate for the complexity and specifics of their business. These precautions are critical steps in protecting consumers from identity fraud and businesses from making bad loans or extending credit to criminals.

The rules apply to any business that offers or connects customers to credit. Therefore, almost every business qualifies; financial institutions: banks, credit card companies, brokerage firms, mortgage lenders, non traditional lenders: utilities, car dealerships, health care providers and schools (any school, college or university who provides or accepts financial aid).

Practically, the identity theft prevention plan consists of four main parts: identification (a process to identify patterns, activities or transactions that appear to be leading to identity theft), detection (procedures that will be used to detect the previously defined red flags), response (a process of responding to red flags as they are detected), revision (periodically updates as the landscape threats changes).

A Red Flag Identifier can be a pattern, practice or activity that triggers the belief that Identity Theft has occurred. The regulation states five Red Flag categories: alerts, notifications or warnings from a consumer reporting agency, suspicious documents, suspicious personal identifying information, and suspicious activities related to a covered account, notice from customers, and victims of identity theft, law enforcement authorities or any other group.

Failure to comply with Red Flag Rules can result in various penalties such as a civil monetary penalty for each violation, regulatory enforcement action, and negative publicity. In some states, according to local laws, failure to comply can lead to actions by consumers or a state attorney general.

Despite the fact that the Federal Trade Commission delayed once again the enforcement of the Red Flags Rules noting that an extra grace period is necessary "to give creditors and financial institutions more time to develop and implement written identity theft protection" (especially small businesses), there are companies that already implemented such programs. These companies understand that this new regulation is not only a protection program against identity theft, but also against criminal or terrorist activities, all kind of scams, and money laundering. In short - a very good business policy.