The Red Flag Rules are rules that apply to financial institutions and creditors who offer or maintain one or more covered accounts. The rules specifically mandate that these financial institutions and creditors create and implement identity theft prevention programs to identify, detect and respond to patterns, practices or specific activities that could indicate identity theft.
The Red Flag Rule was developed in accordance with the Fair and Accurate Credit Transactions Act of 2003. Under the rule, financial institutions and creditors with covered accounts — accounts that involve making payments — must have identity theft prevention programs to identify anything that could lead to identity theft.
If you extend credit to your customers or clients, you will have to follow these Red Flag Rules which will be enforced by the Fair Trade Commission and will be in effect on May 1, 2009. According to the FTC, any entity that “regularly extends, renews or continues credit, or any creditor that is involved in the decision to extend credit” must comply with this rule. Examples of creditors who may need to put the Red Flag Rules into place for their businesses are:
- Finance companies
- Automotive dealers
- Mortgage brokers
- Utility companies
- Oil companies
- Telecommunications companies
Just what are the “Red Flags”? According to the FTC’s final rule, the red flags can be but are not limited to:
- Alerts, notifications or warnings from a consumer credit reporting agency.
- Suspicious documents, such as those that may appear to be forged.
- Suspicious personal information, such as a social security number that is off, or doesn’t exist, or is listed on the Social Security Administrations Death Master File.
- Receiving requests for new, additional or replacement credit cards, debit cards, cell phones or adding authorized users after receiving a change of address form.
- Address discrepancies
- Unusual credit activity, such as increased inquiries.
- Signatures that are inconsistent with information on file.
- Information on an ID not matching any address on a credit report.
- Drastic changes in payment patterns.
- Mail being returned for an undeliverable address yet the account is being used.
- Customers reporting that they are not receiving bills or statements.
The FTC estimates that as many as 9 million Americans have their identities stolen each year, leading to over $56.6 billion in costs.
<!–PAGEBREAK–>
According to the Better Business Bureau, the average amount lost to fraud per case has increased from $5,249 in 2003 to $6,383 in 2006. If you are a business that extends credit to customers and do not comply with the Red Flag Rules a civil penalty ca be up to $2,500 per violation to be enforced by the FTC. The FTC will enforce the Red Flag Rules based on consumer complaints.
What you can do to comply:
- Keep customers sensitive personal information secure.
- Take stock — what personal information do you have in your files and computer.
- Clean out and throw away any outdated or personal information on customers that you no longer need — buy a shredder.
- Write a plan that is easy to follow and that will help you to respond to any security incidents.
- Require employees to log out in computer programs that have personal customer information, after they are done accessing that information.
- Use only one computer to store personal customer information and limit access to it.
- Keep up to date on alerts and vulnerabilities to your computer by visiting www.sans.org.
- Never give out any personal customer information over the phone or in emails.
- Change computer passwords frequently
- Train employees, visit www.ftc.gov/infosecurity for a tutorial or www.OnGuardOnline.gov
- If you outsource any business functions, investigate vendor companies’ data security policies and practices and compare them to yours, visit their facilities if possible.
If you have signed credit applications, personal guarantees, or any paperwork with personal information for your customers, keep it under lock and key. This can include invoices, receipts or statements. Take stock of what personal information you have in your file cabinets, computers, laptops, flash drives, disks, emails and anywhere else your company stores sensitive data,. Once you have a clear picture of what you are dealing with, it will be much easier to create a plan. Decide who in your business will have access to this information and who will not. Make a firm decision and enforce it. Limit who has a key and limit the number of keys.
When you are taking stock, if you find you don’t need some of the personal information you have on some customers, get rid of it. Shred it and toss it. This paperwork might look like a bunch of trash to you but it is a gold mine for an identity thief.
<!–PAGEBREAK–>
When you are putting your plan into writing remember to list who to notify in the event of a security incident. This might include the customer, or consumer, law enforcement, your attorney, the credit bureaus or other business owners that might be affected by a breach.
Your plan doesn’t have to be long and complicated, it should be written according to your company’s size and complexity. Your plan must:
- Designate one or more employees to coordinate the information security program, or be in charge of the program.
- Identify and assess any risks to customer information and evaluate the effectiveness of your current safeguards for controlling those risks.
- Write and implement a safeguards program, as well as monitor and test it regularly. For example, what will you do if someone’s identity is stolen and what do you do now to prevent identity theft?
- Screen service providers that meet your security measures and make sure they maintain those safeguards, and oversee their handling of your customers’ personal information.
- Evaluate and adjust the plan as things change within your business, with the law or as the result of security testing and monitoring.
Your plan can be a single page, or multiple pages with many chapters.
Make sure you identify any unique risks your company might have, depending on the nature of your business. If you have employees that work from home, research and write a specific plan for those computers, emails and employees.
For more information on the rules or to educate yourself or your staff contact Michael Barnett at Barnett Training, www.BarnettTraining.com or visit the FTC website at www.ftc.gov.
Michelle Dunn helps companies that want to have customers that pay on time or early, she works with companies that are struggling with customers that pay late or don’t pay. Michelle has over 21 years experience in credit & debt collection, is the author many books and possesses a depth of knowledge and a whole tool kit of products and services that can make a big difference for your company. www.MichelleDunn.com & www.Credit-and-Collections.com