FTC’s "Red Flags" Rule For Identity Theft Set To Take Effect August 1

UPDATE: To give “creditors” and “financial institutions” with covered accounts more time to develop and implement written Identity Theft Prevention Programs, the Federal Trade Commission (FTC) will further delay enforcement of the 'Red Flags' Rule until November 1, 2009.

After a three month delay to give creditors and financial institutions more time to develop and implement written identity theft prevention programs, the Federal Trade Commission (FTC) is scheduled to begin enforcement of the new “Red Flags Rule” on August 1, 2009.

The Fair and Accurate Credit Transactions Act of 2003 (FACTA) directed financial regulatory agencies – including the FTC – to set forth rules requiring “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft.

“Creditors” are any entities that regularly extend or renew credit – or arranges for others to do so – and regularly permit deferred payments for goods or services. Some examples are:

• Finance companies;
• Automobile dealers that provide or arrange financing;
• Mortgage brokers;
• Utility companies;
• Telecommunications companies;
• Non-profit and government entities that defer payment for goods or services; and
• Businesses that provide services and bill later, including many lawyers, doctors, and other professionals.

“Financial institutions” include entities that offer accounts that enable consumers to write checks or make payments to third parties through other means, such as telephone transfers.

By August 1, these “creditors” and “financial institutions” with covered accounts will need to implement a written identity theft prevention program containing policies that identify, detect, and respond to “red flags” – patterns, practices, activities, or incidents that potentially implicate identity theft – while also ensuring the program is reviewed and updated in order to adjust to changing and developing identity theft risks.

Besides containing the four fundamental elements – identify, detect, respond, and ensure – each written identity theft prevention program must outline the patterns, practices, activities, and/or incidents that constitute “red flags” of identity theft, which can include:

• Alerts, notifications, or warnings received from a consumer credit reporting agency;
• The submission of suspicious documentation that appears to be altered or inconsistent with other documents on file;
• The submission of suspicious Personally Identifying Information (PII), such as multiple addresses;
• Unusual or suspicious use of, or access to, a covered account; and/or
• Notification from consumers or law enforcement authorities indicating suspected or actual identity theft.

The FTC's Red Flags Rule requiring creditors and financial institutions to implement written identity theft programs was originally supposed to take effect November 1, 2008, but the deadline was extended to May 1, 2009 due to confusion over which industries and entities were subject to the rule. The deadline for the identity theft rule was then extended, again, to August 1.

Pre-Employ.com – a leading background check and Business Outsourcing provider – believes that good data security equals good business. To learn more about how your business can prevent identity theft, visit www.pre-employ.com, email info@pre-employ.com, or call 1-800-300-1821. To follow Pre-Employ.com on Twitter, visit www.twitter.com/PreEmploy.

tahearn@pre-employ.com

*We welcome relevant comments and questions from consumers, experts, and human resources professionals. Please do not submit comments with advertisements as they will not be posted publicly. Thanks for visiting our blog!