Red Flags Rule

By: Dennis Gardiner, Partner email

The Federal Trade Commission (FTC) has issued regulations known as the “Red Flags Rule” requiring certain entities to develop and implement a written Identity Theft Prevention Program. The purpose of the program is to assist the entity in identifying the red flags that indicate identity theft. The Fair and Accurate Credit Transactions Act of 2003 requires creditors and financial institutions with covered accounts to implement programs to identify, detect, and respond to patterns, practices or specific activities that could indicate identity theft. The definition of a creditor applies to any entity that regularly extends or renews credit, or arranges for others to do so, and includes all entities that regularly permit deferred payments for goods and services. Municipal utilities and governmental entities that defer payment for goods or services are considered creditors for these purposes. The Rule defines a covered account as a consumer account that allows multiple payments or any other account with a reasonably foreseeable risk of identity theft. An entity that regularly bills customers after services are provided is considered a creditor under the Red Flags Rule, and is required to develop a written Identity Theft Prevention Program. The Identity Theft Prevention Program should include policies and procedures to identify the warning signs or “red flags” of identity theft in day-to-day operations, which are suspicious patterns or practices or specific activities that indicate the possibility of identity theft. The program should be designed to detect the red flags identified, state the appropriate actions to mitigate the risks of identity theft and address how the entity will periodically evaluate the program to address new identified risks. The Program must be approved by the governing body, and should include information about training staff and monitoring the work of the government’s service providers. Most important is that all members of the entity’s staff are familiar with the Red Flags Rule and the compliance procedures. Enforcement of the rule has been extended to November 1, 2009 to give additional time for developing and implementing written identity theft prevention programs. There are no criminal penalties for failure to comply, however violators may be subject to financial penalties. In addition, compliance assures the entity’s customers that they are doing their part to fight identity theft. A handbook on developing an Identity Theft Prevention Program and information about compliance is available at as well as a fill-in-the-blank form for businesses and organizations at low risk for identity theft. The form can be filled out online and printed. Please contact us if you have any questions; we will be more than happy to help you.