the ftc’s red flag rule. ftc red flag regulations why the red flag regulations?

The FTCs Red Flag Rule

FTC Red Flag Regulations Why the Red Flag Regulations?

FTC Red Flag Regulations As many as 9 million Americans have their identities stolen each year. Identity thieves may drain their accounts, damage their credit, and even endanger their medical treatment. The cost to businesses left with unpaid bills racked up by scam artists can be staggering, too.

FTC Red Flag Regulations Companies, including many small businesses, have also had their identity stolen. Sole proprietors report high incidences of stolen identities.

FTC Red Flag Regulations The Red Flag Rule picks up where data security leaves off. It seeks to prevent identity theft by ensuring that your business or organization is on the lookout for the signs that a crook is using someone elses information, typically to get products or services from you with no intention of paying.

FTC Red Flag Regulations The Red Flags Rule sets out how certain businesses and organizations must develop, implement, and administer their Identity Theft Prevention Programs.

FTC Red Flag Regulations A Red Flags Program must include four basic elements, which together create a framework to address the threat of identity theft.

FTC Red Flag Regulations Element One: Identify the Red Flags Your Program must include reasonable policies and procedures to identify the red flags of identity theft you may run across in the day-to-day operation of your business.

FTC Red Flag Regulations Element One: Identify the Red Flags Red flags are suspicious patterns or practices, or specific activities, that indicate the possibility of identity theft.

FTC Red Flag Regulations Element One: Identify the Red Flags If a customer has to provide some form of identification to open an account with your company, an ID that looks like it might be fake would be a red flag for your business.

FTC Red Flag Regulations Element One: Identify the Red Flags Consider: Risk Factors Sources of Red Flags Categories of Common Red Flags

FTC Red Flag Regulations Element One: Identify the Red Flags Risk Factors: Different types of accounts pose different kinds of risk.

FTC Red Flag Regulations Element One: Identify the Red Flags Risk Factors Red flags for deposit accounts may differ from red flags for credit accounts. The red flags for consumer accounts may not be the same as those for business accounts. Red flags for accounts opened or accessed online or by phone may differ from those involving face-to-face contact.

FTC Red Flag Regulations Element One: Identify the Red Flags Sources of Red Flags Consider sources of information, including how identity theft may have affected your business and the experience of other members of your industry.

FTC Red Flag Regulations Element One: Identify the Red Flags Sources: (Credit Reports) a fraud or active duty alert on a credit report a notice of credit freeze in response to a request for a credit report a notice of address discrepancy provided by a credit reporting agency

FTC Red Flag Regulations Element One: Identify the Red Flags Sources: (Credit Reports, Credit Applications, Rush Orders) a credit report indicating a pattern of activity inconsistent with the persons history a big increase in the volume of inquiries or the use of credit, especially on new accounts; an unusual number of recently established credit relationships; or an account that was closed because of an abuse of account privileges

FTC Red Flag Regulations Element One: Identify the Red Flags Sources: (Counter Sales Identification) identification that looks altered or forged the person presenting the identification doesnt look like the photo or match the physical description

FTC Red Flag Regulations Element One: Identify the Red Flags Sources: (Credit Applications) a bogus address, an address for a mail drop or prison, a phone number thats invalid, or one thats associated with a pager or answering service

FTC Red Flag Regulations Element One: Identify the Red Flags Sources: (Contact by the Customer) The senders email uses a generic service rather than a company name Large quantities of the same item are ordered The shipping address given differs from the companys address or is a new location for the customer

FTC Red Flag Regulations Element One: Identify the Red Flags Sources: (Contact with the Customer) The language used in the emails is flawed, consistently misspelled and reads like its from a foreign translation Multiple credit cards are used for the purchase

FTC Red Flag Regulations Element One: Identify the Red Flags Sources: (Contact with the Customer) The purchaser attempts to get net 30 terms An alternative shipping method, faster than typical, is requested such as overnight air or rush pick-up Multiple rush orders are received from the same company in a short period of time

FTC Red Flag Regulations Element Two: Detect the Red Flags Your Program must be designed to detect the red flags youve identified.

FTC Red Flag Regulations Element Two: Detect the Red Flags If youve identified fake IDs as a red flag, you must have procedures in place to detect possible fake, forged, or altered identification. For example, ask for a second form of ID.

FTC Red Flag Regulations Element Two: Detect the Red Flags You may detect a Red Flag when you verify an order that originated with the sender using a generic email account or when you verify a new ship to address, or during your risk assessment as you authenticate customers, monitor transactions, or verify requests for changes of address.

FTC Red Flag Regulations Element Two: Detect the Red Flags Your Program may include procedures to authenticate customers (confirming that the person youre dealing with really is your customer), monitor transactions, and verify the validity of change-of-address requests or new ship-to addresses.

FTC Red Flag Regulations Element Three: Respond Your Program must spell out appropriate actions youll take when you detect red flags.

FTC Red Flag Regulations Element Three: Respond When you spot a red flag, be prepared to respond appropriately. Your response will depend upon the degree of risk posed.

FTC Red Flag Regulations Element Three: Respond The Guidelines in the Red Flags Rule offer examples of some appropriate responses, including: monitoring a covered account for evidence of identity theft contacting the customer

FTC Red Flag Regulations Element Three: Respond Some appropriate responses, including: changing passwords, security codes, or other ways to access an account closing an existing account reopening an account with a new account number

FTC Red Flag Regulations Element Three: Respond Some appropriate responses, including: not opening a new account not trying to collect on an account or not selling an account to a debt collector notifying law enforcement determining that no response is warranted under the particular circumstances

FTC Red Flag Regulations Element Four: Administer & Update Because identity theft is an ever-changing threat, you must address how you will re- evaluate your Program periodically to reflect new risks from this crime.

FTC Red Flag Regulations Element Four: Administer & Update Your board may oversee, develop, implement, and administer the Program or it may designate a senior employee to do the job.

FTC Red Flag Regulations Element Four: Administer & Update Responsibilities include assigning specific responsibility for the Programs implementation, reviewing staff reports about how your organization is complying with the Rule, and approving important changes to your Program.

FTC Red Flag Regulations Element Four: Administer & Update The Rule requires that you train relevant staff only as necessary for example, staff that has received anti-fraud prevention training may not need to be re-trained.

FTC Red Flag Regulations In review, the four elements are: 1.Identify 2.Detect 3.Respond 4.Administer & Update

FTC Red Flag Regulations The point? Describe, in writing, how to incorporate the Red Flag Rule into the daily operations of your business.

FTC Red Flag Regulations Who must comply? The Red Flags Rule applies to financial institutions and creditors.

FTC Red Flag Regulations Creditors must comply. The definition of creditor is broad and includes businesses or organizations that regularly defer payment for goods or services or provide goods or services and bill customers later.

FTC Red Flag Regulations Creditors must comply. The Rule also defines a creditor as one who regularly grants loans, arranges for loans or the extension of credit, or makes credit decisions.

FTC Red Flag Regulations The definition includes anyone who regularly participates in the decision to extend, renew, or continue credit, including setting the terms of credit for example, a third-party debt collector who regularly renegotiates the terms of a debt. If you regularly extend credit to other businesses, you also are covered under this definition.

FTC Red Flag Regulations Covered Accounts: What does it mean to regularly extend credit? Theres no bright line definition for regularly. But if the activities that meet the definition of creditor are more than just an isolated occurrence for your business, the Red Flags Rule applies to you.

FTC Red Flag Regulations Covered Accounts Once youve concluded that your business or organization is a financial institution or creditor, you must determine if you have any covered accounts.

FTC Red Flag Regulations Covered Accounts Look at both existing accounts and new ones. Two categories of accounts are covered.

FTC Red Flag Regulations Covered Accounts: Consumer Account The first kind is a consumer account you offer your customers thats primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions.

FTC Red Flag Regulations Covered Accounts: Consumer Account Examples are credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts.

FTC Red Flag Regulations Before you decide you dont have to comply

FTC Red Flag Regulations Covered Accounts: The second kind of covered account is any other account that a financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.

FTC Red Flag Regulations Covered Accounts: The second kind of covered account is any other account that a creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.

FTC Red Flag Regulations Covered Accounts: Examples include small business accounts, sole proprietorship accounts, or single transaction consumer accounts that may be vulnerable to identity theft.

FTC Red Flag Regulations Covered Accounts: Q:Am I a creditor under the Rule if I extend credit to other businesses? A: Yes, youre a creditor whether you have consumer or business customers.

FTC Red Flag Regulations Covered Accounts: Q:Do I have covered accounts if Im a business creditor? A: It depends. If youre a creditor with only business- to-business accounts, you have to assess whether those accounts pose a reasonably foreseeable risk from identity theft. If they do, theyre covered accounts under the Rule.

FTC Red Flag Regulations Covered Accounts In determining if accounts are covered under the second category, consider how theyre opened and accessed. For example, there may be a reasonably foreseeable risk of identity theft in connection with business accounts that can be accessed remotely such as through the Internet or by telephone. Your risk analysis must consider any actual incidents of identity theft involving accounts like these.

FTC Red Flag Regulations Is your business or organization at low risk for identity theft?

FTC Red Flag Regulations Here are some factors to help you decide if your risk level is low: Do you know your customers personally? Perhaps you are familiar with everyone who walks into your office or places an order with your company. Its unlikely that an identity thief can defraud you by impersonating someone you already know. That would place your business at low risk for identity theft.

FTC Red Flag Regulations Low risk level: Have you ever experienced an incident of identity theft? Youve been in business for some time now, and no one has complained that someone stole his identity and used it to get products or services at your business. That might suggest your business is at low risk for identity theft.

FTC Red Flag Regulations Low risk level: Are you in a business where identity theft is uncommon? If there are no reports in the news and no talk among people in your line of work about identity theft, your industry may not now be the target of identity thieves, and your organization may be at low risk for identity theft.

FTC Red Flag Regulations In the event of a knowing violation, which constitutes a pattern or practice of violations, the FTC may commence a civil action to recover a civil penalty in a federal district court. Penalties imposed by the FTC for violations of FACTA may not exceed $3,500 per infraction.

FTC Red Flag Regulations Key to compliance: Create a written Red Flag program

FTC Red Flag Regulations Sample policies: March issue of Business Credit magazine FTCs Low Risk Program Template

FTC Red Flag Regulations

Red Flag Rule went into effect on January 1, 2008 Enforcement scheduled to begin November 1, 2009