In light of the Federal Trade Commission's (FTC) impending Red Flags Regulations, a recent NACM-sponsored teleconference offered attendees a thorough primer on the new rules from the FTC's own attorney in the division of privacy and identity protection, Tiffany George, Esq. "I know that the rules may seem overwhelming but you'll find that the actual rules themselves are only a few pages," she said. "The rules benefit your customers and your business, which are protected from fraudulent charges that you couldn't collect on."
The aim of the Red Flags Regulations, which go into effect on May 1, 2009, is to prevent identity theft by requiring businesses, financial institutions and other creditors to keep an eye out for red flags that might indicate fraud or other impropriety. Not all businesses are covered, but business creditors of any kind would do well to establish their own red flags policy and adhere to the FTC's rules, for the safety of their business as well as their customers. Luckily, the regulations allow a business to tailor their policy to fit the complexity of their company's structure and the average risk inherent in each transaction. "The rule is designed to be flexible and rules-based," said George. "You tailor your program based on your business and the risks you face. An entity with a complex business structure with a high risk of identity theft may have a complex program."
"You make the call as to whether these other accounts are covered," she added. "You have to make that determination for yourself. The standard is a reasonably foreseeable risk for identity theft, not any risk for identity theft."
Each Red Flags program that falls under the regulation's jurisdiction must provide for four steps: identifying relevant red flags, detecting red flags, preventing and mitigating identity theft and updating the program. Compliant companies must also determine their business' own set of signs or signals that might indicate identity theft or fraud, known as Red Flags, and include them in a written policy that's managed by a member of the company's board of directors or by a senior-level official.
To help companies establish their policy, the FTC has published a list of guidelines, divided into seven steps: incorporate existing policies and procedures, identify relevant red flags, set up procedures to detect red flags, respond appropriately to red flags, update the program, administer your program and consider other legal requirements. "A creditor doesn't have to start from scratch on their program," said George. "You can tailor your program and build upon fraud or security measures you already have."
"Don't panic," she added. "The rules are meant to help you and your customers. It's good business. It helps to protect you and your customers from fraudulent charges."
For more information on the FTC's Red Flags rules, visit www.ftc.gov or past issues of NACM's eNews and Business Credit magazine.
Jacob Barron, NACM staff writer