Red Flags Rule Enforcement Extended

By: Gardiner Thomsen CPAsemail

The Federal Trade Commission (FTC) has issued regulations known as the “Red Flags Rule” requiring certain entities such as creditors and financial institutions to develop and implement a written Identity Theft Prevention Program. Municipal utilities and governmental entities that defer payment for goods or services are considered creditors for these purposes. The program should include policies and procedures to identify, detect and respond to patterns, practices or specific activities that indicate the warning signs or “red flags” of potential identity theft in day-to-day operations. It should also state how to mitigate the risks of identity theft and evaluate the program to address new risks. The program must be approved by the governing body, and should include information about training staff and monitoring the work of the entity’s service providers. All members of the entity’s staff must be familiar with the Red Flags Rule and compliance procedures. Enforcement of the rule has now been extended to December 31, 2010, while Congress considers legislation that would affect the scope of the included entities. A handbook on developing an Identity Theft Prevention Program and information about compliance is available at A fill-in-the-blank form for businesses and organizations at low risk for identity theft is available at and offers step-by-step instructions for creating a written Identity Theft Prevention Program. The form can be filled out online and printed. If you have any questions about the Red Flags Rule or would like further assistance on developing an Identity Theft Prevention Program, please contact us, we would be happy to help.