the ftc’s red flag rule. ftc red flag regulations why the red flag regulations?
Post on 27-Dec-2015
233 Views
Preview:
TRANSCRIPT
The FTC’sRed Flag Rule
FTC Red Flag Regulations
Why the Red Flag Regulations?
FTC Red Flag Regulations
As many as 9 million Americans have their identities stolen each year. Identity thieves may drain their accounts, damage their credit, and even endanger their medical treatment. The cost to businesses – left with unpaid bills racked up by scam artists – can be staggering, too.
FTC Red Flag Regulations
Companies, including many small businesses, have also had their identity stolen.
Sole proprietors report high incidences of stolen identities.
FTC Red Flag Regulations
The Red Flag Rule picks up where data security leaves off.
It seeks to prevent identity theft by ensuring that your business or organization is on the lookout for the signs that a crook is using someone else’s information, typically to get products or services from you with no intention of paying.
FTC Red Flag Regulations
The Red Flags Rule sets out how certain businesses and organizations must develop, implement, and administer their Identity Theft Prevention Programs.
FTC Red Flag Regulations
A Red Flags Program must include four basic elements, which together create a framework to address the threat of identity theft.
FTC Red Flag Regulations
Element One: Identify the Red Flags
Your Program must include reasonable policies and procedures to identify the “red flags” of identity theft you may run across in the day-to-day operation of your business.
FTC Red Flag Regulations
Element One: Identify the Red Flags
Red flags are suspicious patterns or practices, or specific activities, that indicate the possibility of identity theft.
FTC Red Flag Regulations
Element One:Identify the Red Flags
If a customer has to provide some form of identification to open an account with your company, an ID that looks like it might be fake would be a “red flag” for your business.
FTC Red Flag Regulations
Element One:Identify the Red Flags
Consider:
• Risk Factors • Sources of Red Flags • Categories of Common Red Flags
FTC Red Flag Regulations
Element One:Identify the Red Flags
Risk Factors: Different types of accounts pose different kinds of risk.
FTC Red Flag Regulations
Element One: Identify the Red Flags
Risk Factors
Red flags for deposit accounts may differ from red flags for credit accounts.
The red flags for consumer accounts may not be the same as those for business accounts.
Red flags for accounts opened or accessed online or by phone may differ from those involving face-to-face contact.
FTC Red Flag Regulations
Element One:Identify the Red Flags
Sources of Red Flags Consider sources of information, including how identity theft may have affected your business and the experience of other members of your industry.
FTC Red Flag Regulations
Element One: Identify the Red Flags
Sources: (Credit Reports)• a fraud or active duty alert on a credit report • a notice of credit freeze in response to a request
for a credit • report a notice of address discrepancy provided
by a credit reporting agency
FTC Red Flag Regulations
Element One: Identify the Red Flags
Sources: (Credit Reports, Credit Applications, Rush Orders)
• a credit report indicating a pattern of activity inconsistent with the person’s history
• a big increase in the volume of inquiries or the use of credit, especially on new accounts;
• an unusual number of recently established credit relationships;
• or an account that was closed because of an abuse of account privileges
FTC Red Flag Regulations
Element One: Identify the Red Flags
Sources: (Counter Sales Identification)• identification that looks altered or forged • the person presenting the identification
doesn’t look like the photo or match the physical description
FTC Red Flag Regulations
Element One: Identify the Red Flags
Sources: (Credit Applications)• a bogus address, an address for a mail drop or
prison, a phone number that’s invalid, or one that’s associated with a pager or answering service
FTC Red Flag Regulations
Element One: Identify the Red Flags
Sources: (Contact by the Customer)
• The sender’s email uses a generic service rather than a company name
• Large quantities of the same item are ordered• The shipping address given differs from the
company’s address or is a new location for the customer
FTC Red Flag Regulations
Element One: Identify the Red Flags
Sources: (Contact with the Customer)• The language used in the emails is flawed,
consistently misspelled and reads like it’s from a foreign translation
• Multiple credit cards are used for the purchase
FTC Red Flag Regulations
Element One: Identify the Red Flags
Sources: (Contact with the Customer)• The purchaser attempts to get net 30 terms• An alternative shipping method, faster than
typical, is requested such as overnight air or rush pick-up
• Multiple rush orders are received from the same company in a short period of time
FTC Red Flag Regulations
Element Two: Detect the Red Flags
Your Program must be designed to detect the red flags you’ve identified.
FTC Red Flag Regulations
Element Two: Detect the Red Flags
If you’ve identified fake IDs as a red flag, you must have procedures in place to detect possible fake, forged, or altered identification.
For example, ask for a second form of ID.
FTC Red Flag Regulations
Element Two: Detect the Red Flags
You may detect a Red Flag when you verify an order that originated with the sender using a generic email account or when you verify a new “ship to” address, or during your risk assessment as you authenticate customers, monitor transactions, or verify requests for changes of address.
FTC Red Flag Regulations
Element Two: Detect the Red Flags
Your Program may include procedures to authenticate customers (confirming that the person you’re dealing with really is your customer), monitor transactions, and verify the validity of change-of-address requests or new ship-to addresses.
FTC Red Flag Regulations
Element Three: Respond
Your Program must spell out appropriate actions you’ll take when you detect red flags.
FTC Red Flag Regulations
Element Three: Respond
When you spot a red flag, be prepared to respond appropriately. Your response will depend upon the degree of risk posed.
FTC Red Flag Regulations
Element Three: Respond
The Guidelines in the Red Flags Rule offer examples of some appropriate responses, including:
• monitoring a covered account for evidence of identity theft
• contacting the customer
FTC Red Flag Regulations
Element Three: Respond
Some appropriate responses, including:
• changing passwords, security codes, or other ways to access an account
• closing an existing account • reopening an account with a new account
number
FTC Red Flag Regulations
Element Three: Respond
Some appropriate responses, including:
• not opening a new account • not trying to collect on an account or not selling
an account to a debt collector • notifying law enforcement• determining that no response is warranted under
the particular circumstances
FTC Red Flag Regulations
Element Four:Administer & Update
Because identity theft is an ever-changing threat, you must address how you will re-evaluate your Program periodically to reflect new risks from this crime.
FTC Red Flag Regulations
Element Four: Administer & Update
Your board may oversee, develop, implement, and administer the Program or it may designate a senior employee to do the job.
FTC Red Flag Regulations
Element Four: Administer & Update
Responsibilities include assigning specific responsibility for the Program’s implementation, reviewing staff reports about how your organization is complying with the Rule, and approving important changes to your Program.
FTC Red Flag Regulations
Element Four:Administer & Update
The Rule requires that you train relevant staff only as “necessary” – for example, staff that has received anti-fraud prevention training may not need to be re-trained.
FTC Red Flag Regulations
In review, the four elements are:
1. Identify2. Detect3. Respond4. Administer & Update
FTC Red Flag Regulations
The point?
Describe, in writing, how to incorporate the Red Flag Rule into the daily operations of your business.
FTC Red Flag Regulations
Who must comply?
The Red Flags Rule applies to “financial institutions” and “creditors.”
FTC Red Flag Regulations
Creditors must comply.
The definition of “creditor” is broad and includes businesses or organizations that regularly defer payment for goods or services or provide goods or services and bill customers later.
FTC Red Flag Regulations
Creditors must comply.
The Rule also defines a “creditor” as one who regularly grants loans, arranges for loans or the extension of credit, or makes credit decisions.
FTC Red Flag Regulations
The definition includes anyone who regularly participates in the decision to extend, renew, or continue credit, including setting the terms of credit – for example, a third-party debt collector who regularly renegotiates the terms of a debt. If you regularly extend credit to other businesses, you also are covered under this definition.
FTC Red Flag Regulations
Covered Accounts:
What does it mean to “regularly” extend credit?
There’s no bright line definition for “regularly.”
But if the activities that meet the definition of “creditor” are more than just an isolated occurrence for your business, the Red Flags Rule applies to you.
FTC Red Flag Regulations
Covered Accounts
Once you’ve concluded that your business or organization is a financial institution or creditor, you must determine if you have any “covered accounts.”
FTC Red Flag Regulations
Covered Accounts
Look at both existing accounts and new ones.
Two categories of accounts are covered.
FTC Red Flag Regulations
Covered Accounts: Consumer Account
The first kind is a consumer account you offer your customers that’s primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions.
FTC Red Flag Regulations
Covered Accounts: Consumer Account
Examples are credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts.
FTC Red Flag Regulations
Before you decide you don’t have to comply …
FTC Red Flag Regulations
Covered Accounts:
The second kind of “covered account” is “any other account that a financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.”
FTC Red Flag Regulations
Covered Accounts:
The second kind of “covered account” is “any other account that a creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.”
FTC Red Flag Regulations
Covered Accounts:
Examples include small business accounts, sole proprietorship accounts, or single transaction consumer accounts that may be vulnerable to identity theft.
FTC Red Flag Regulations
Covered Accounts:
Q: Am I a creditor under the Rule if I extend credit to other businesses?
A: Yes, you’re a creditor whether you have consumer or business customers.
FTC Red Flag Regulations
Covered Accounts:Q: Do I have covered accounts if I’m a business
creditor?
A: It depends. If you’re a creditor with only business- to-business accounts, you have to assess whether those accounts pose a reasonably foreseeable risk from identity theft. If they do, they’re “covered accounts” under the Rule.
FTC Red Flag Regulations Covered Accounts
In determining if accounts are covered under the second category, consider how they’re opened and accessed.
For example, there may be a reasonably foreseeable risk of identity theft in connection with business accounts that can be accessed remotely – such as through the Internet or by telephone.
Your risk analysis must consider any actual incidents of identity theft involving accounts like these.
FTC Red Flag Regulations
Is your business or organization at low risk for identity theft?
FTC Red Flag Regulations
Here are some factors to help you decide if your risk level is low:
Do you know your customers personally?Perhaps you are familiar with everyone who walks into your office or places an order with your company. It’s unlikely that an identity thief can defraud you by impersonating someone you already know. That would place your business at low risk for identity theft.
FTC Red Flag Regulations
Low risk level:
Have you ever experienced an incident of identity theft?You’ve been in business for some time now, and no one has complained that someone stole his identity and used it to get products or services at your business. That might suggest your business is at low risk for identity theft.
FTC Red Flag Regulations
Low risk level:
Are you in a business where identity theft is uncommon?
If there are no reports in the news and no talk among people in your line of work about identity theft, your industry may not now be the target of identity thieves, and your organization may be at low risk for identity theft.
FTC Red Flag Regulations
In the event of a knowing violation, which constitutes a pattern or practice of violations, the FTC may commence a civil action to recover a civil penalty in a federal district court. Penalties imposed by the FTC for violations of FACTA may not exceed $3,500 per infraction.
FTC Red Flag Regulations
Key to compliance:
Create a written Red Flag program
FTC Red Flag Regulations
Sample policies:
March issue of Business Credit magazine
FTC’s Low Risk Program Template
FTC Red Flag Regulations
FTC Red Flag Regulations
Red Flag Rule went into effect on January 1, 2008
Enforcement scheduled to begin November 1, 2009
top related