IDC Names Securiti a Worldwide Leader in Data PrivacyView
The digital landscape has brought numerous benefits in a world that is increasingly becoming more interconnected. However, it has paved the way for new challenges, particularly identity theft. In response to such increasing threats, the Federal Trade Commission (FTC) introduced the Red Flags Rule—an essential safeguard designed to curb the rising tide of identity theft. Effective 1 November 2009, the rule requires certain entities to establish programs that facilitate detecting, preventing, and mitigating identity theft.
In this blog, we delve into the intricacies of the FTC's Red Flags Rule, exploring whom it applies to, what covered accounts are, the obligations for covered entities and their significance, and how organizations can adopt proactive compliance measures. By understanding FTC's Red Flags Rule, individuals and organizations can fortify their defenses against identity theft and contribute to a safer digital ecosystem.
The Red Flags Rule is a regulatory framework established by the FTC to combat identity theft in the United States. It requires certain financial institutions and creditors to establish and implement identity theft prevention strategies to identify, detect, and reduce "red flags" or indicators of potential identity theft inside their operations.
Under the FTC Red Flags Rule, organizations must put in place a written identity theft prevention program to assist them in identifying any relevant "red flags" that indicate identity theft in everyday business operations. The Rule also offers steps to help prevent crime and to mitigate its damage. You don't need a written program if you don’t have any covered accounts.
The Red Flags Rule applies to financial institutions and creditors that offer or maintain covered accounts. To determine the applicability, the financial institutions and the creditors must periodically assess if they offer or maintain covered accounts. The decision is made based on whether a business' operations fall within the relevant definitions, not on the industry or sector. An organization must only implement its written program if it has covered accounts.
Let us examine what exactly ‘financial institution’, ‘creditor’, and ‘covered account’ mean for the purposes of the Red Flags Rule.
A financial institution may be a state or national bank, a mutual savings bank, a federal or state savings and loan association, a federal credit union, or a person holding a transaction account that belongs to a consumer.
A business can be a creditor based on its conduct. To determine if a business’s conduct makes it a creditor, the following question-based steps can be helpful:
Answer the following question:
“Does the business or organization regularly:
If the answer is “NO” to all questions, the Rule does not apply. However, if the answer to one or more questions is “YES,” proceed to Step 2.
Answer the following question:
“Does the business or organization regularly:
The Rule is not applicable if the answer is “NO” to all the questions; however, the business is considered a creditor under the Rule if the answer is “YES” to one or more of the above questions.
Once a business or organization has determined that it is a financial institution or a creditor covered by the Rule, it must determine if it has any “covered accounts.” The business or organization should look at existing as well as new accounts.
Following are the two types of accounts that are covered accounts for the purposes of the Red Flags Rule:
In determining if accounts are covered under the second category, the businesses should consider how the accounts are opened and accessed. The risk analysis must consider any actual incidents of identity theft involving accounts like these.
Each financial institution or creditor must reassess whether it provides or maintains covered accounts periodically. A financial institution or creditor must conduct a risk assessment to determine whether it provides or maintains covered accounts, taking into account:
The financial institutions and the creditors that offer or maintain covered accounts must establish and implement a written Identity Theft Prevention Program (ITPP) that must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities and must be able to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The program must consist of policies and procedures to identify and detect the red flags and respond appropriately to prevent and mitigate identity theft.
Red Flag means a pattern, practice, or specific activity that indicates the possible existence of identity theft. Appendix A to the Red Flags Rule provides the following five categories of red flags that financial institutions and creditors should consider including in their programs:
Supplement A to Appendix A also provides illustrative examples for the above red flag categories.
Different types of accounts pose different kinds of risks. For example, red flags for deposit accounts may differ from red flags for credit accounts, and those for consumer accounts may differ from those for business accounts. Therefore, while identifying key red flags, financial institutions or creditors should consider the types of covered accounts they offer or maintain, how they open covered accounts, how they provide access to those covered accounts, and what they know about identity theft in their businesses.
Technology and criminal techniques change constantly, so keeping up-to-date on new threats is important. Financial institutions and creditors should incorporate relevant Red Flags from sources such as:
The policies and procedures of an ITPP should address the detection of red flags in connection with the opening of new covered accounts as well as the existing ones. For example, red flags can be detected by:
Once a financial institution or a creditor has detected the red flags, its ITPP must be able to provide appropriate responses that are commensurate with the degree of risk posed. The appropriate responses must also consider the aggravating circumstances that may heighten identity theft risk. Following are some examples of appropriate responses:
To ensure safety from identity theft, the financial institutions and the creditors must periodically update their ITPP. The following factors must be considered while updating the ITPP:
The Board of Directors (Board), an appropriate committee of the Board, or someone in the senior management must approve the initial written ITPP. The Board may oversee, develop, implement, and administer the ITPP or designate a senior employee to do the job. Responsibilities include assigning specific responsibility for the program’s implementation, reviewing staff reports about compliance with the Rule, and approving important changes to your ITPP.
In administering your program, monitor the activities of your service providers. If they’re conducting activities covered by the Rule — for example, opening or managing accounts, billing customers, providing customer service, or collecting debts — they must apply the same standards you would if you were performing the tasks yourself.
The person responsible for your ITPP should report at least annually to your Board or a designated senior manager. The report should evaluate how effective your ITPP has been in addressing the risk of identity theft, how you’re monitoring the practices of your service providers, significant incidents of identity theft and your response, and recommendations for major changes to the ITPP.
Complying with the FTC's Red Flags Rule involves implementing an efficient ITPP that is suited to the organization's size, nature of business, and possible risks. The general actions businesses can take to ensure compliance are:
Identify the accounts that the rule considers to be "covered accounts." These accounts are subject to identity theft and have numerous payments or transactions.
Establish an individual or group in charge of managing the development, implementation, and maintenance of the ITPP.
Conduct risk assessments to evaluate the organization's operations to identify potential red flags or indicators of identity theft. Consider elements like the kinds of accounts provided, the ways to access accounts, and prior instances of identity theft.
Specify how the organization will identify and respond to red flags through documented policies and procedures. This includes specifics on the red flags that will be monitored and remediation actions when they are discovered.
Train employees on identifying and detecting red flags and the proper response procedures. Determine the employees' knowledge of the organization's identity theft prevention program and responsibilities.
Create a detailed plan for handling any discovered red flags. Describe what to do after identifying a red flag, including confirming the account holder's identity and, if necessary, alerting the relevant law enforcement or regulatory bodies.
Monitor for any potential red flags in your accounts and transactions. Review and frequently update the identity theft prevention program to account for new risks and conditions.
Establish procedures for monitoring and ensuring third-party service providers' compliance with the Red Flags Rule if the organization uses them to manage covered accounts or activities.
Ensuring compliance with FTC’s Red Flags Rule is essential for business continuity and avoiding noncompliance penalties. The penalty for non-compliance with the Red Flags Rule is $3,500 maximum in civil fines per violation and up to $2,500 per infraction.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
300 Santana Row Suite 450. San Jose,