Based on the “red flags rule,” entities are considered creditors if they do which of the following?
Mar 03, 2017 Show Millions of Americans have their identities stolen each year. In addition to the impact on individuals, the cost to entities – left with unpaid bills racked up by scam artists – can be staggering, too. In response to the growing cases of identity theft, effective as of January 1, 2008, the Federal Trade Commission implemented the “Red Flags Rule”. The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs – or “red flags” – of identity theft in their day-to-day operations, take steps to prevent the crime, and mitigate the damage caused by identify theft. By identifying red flags in advance, entities are better equipped to identify suspicious patterns when they arise and take steps to prevent a red flag from escalating into a case of identity theft. The Red Flags Rule is enforced by the Federal Trade Commission (FTC), the federal bank regulatory agencies, and the National Credit Union Administration. The Red Flags Rule sets out how certain businesses and organizations must develop, implement, and administer their Identity Theft Prevention Programs. The Program must include four basic elements, which together create a framework to address the threat of identity theft.
The Rule sets out the basic elements of Identity Theft Prevention Programs, but who is required to comply? Moreover, how can governmental agencies determine whether or not they are required to comply with the Rule? As identified by the FTC, the Red Flags Rule applies to “financial institutions” and “creditors.” The Rule requires entities to conduct a periodic risk assessment to determine if they have “covered accounts.” They need to implement a written program only if they have covered accounts. It’s important to look closely at how the Rule defines “financial institution” and “creditor” because the terms apply to groups that might not typically use those words to describe themselves. For example, many non-profit groups and government agencies are “creditors” under the Rule. The determination of whether a business or organization is covered by the Red Flags Rule isn’t based on your industry or sector, but rather on whether your activities fall within the relevant definitions.
Based on information provided by the FTC with respect to who is required to comply, governmental agencies are not exempt solely based on industry. Government agencies typically do not qualify as financial institutions. As a result, most government agencies need only to determine whether or not they are considered to be a creditor as defined by the FTC. If the government agency defers payment for goods and services and bills customers later, then the government agency may fall within the definition of a creditor, depending on how and when they collect payment for services. Once the government agency determines whether or not it meets the definition of a creditor, then it must consider whether or not it has covered accounts. Two categories of accounts are covered:
If a governmental agency does not have any covered accounts, then it is not required to have a written Identity Theft Protection Program. The governmental agency is still required to conduct a periodic risk assessment to determine if it has acquired any covered accounts through changes to structure, processes, or the entity. If a governmental agency determines that it is a creditor with covered accounts, the governmental agency must develop and implement a written Identity Theft Prevention Program. The Program must be designed to prevent, detect, and mitigate identity theft in connection with the opening of new accounts and the operation of existing ones. The Program must be appropriate to the size and complexity of the governmental agency and the nature and scope of its activities. A governmental agency with a higher risk of identity theft or a variety of covered accounts may need a more comprehensive Program. If a governmental agency determines that it is required to comply with the Red Flags rule, the following is a four step process that can be used to develop and implement a written Identity Theft Prevention Program. Identify relevant red flags
Detect red flags Set up procedures to detect those red flags in day-to-day operations.
Prevent and mitigate identity theft If the government agency spots the red flags identified, it should respond appropriately to prevent and mitigate the harm done. Some common responses include:
Update the Program The risks of identity theft can change rapidly, so it’s important to keep the Program current and educate pertinent staff. Factor in changes in how identity thieves operate; new methods to detect, prevent, and mitigate identity theft; changes in the accounts offered; and changes in the entity, such as mergers, acquisitions, alliances, joint ventures, and arrangements with service providers. The initial written Program must get the approval of those charged with governance. Those charged with governance may oversee, develop, implement, and administer the Program or may designate a member of management to do the job. Responsibilities include assigning specific responsibility for the Program’s implementation, reviewing staff reports about how the governmental agency is complying with the Rule, and approving important changes to the Program. The Rule requires that government agencies train relevant staff only as “necessary” – for example, staff that has received anti-fraud prevention training may not need to be re-trained. Employees at many levels can play a key role in identity theft deterrence and detection. The person responsible for monitoring the Program should report at least annually to those charged with governance. The report should evaluate how effective the Program has been in addressing the risk of identity theft; how the government agency is monitoring the practices of service providers; significant incidents of identity theft and response; and recommendations for major changes to the Program.
What is the primary purpose of the Red Flag Rule?The Red Flags Rule seeks to prevent identity theft, too, by ensuring that your business or organization is on the lookout for the signs that a crook is using someone else's information, typically to get products or services from you without paying for them.
What is one area covered in the red flags rule that must be addressed in a Banks Red Flag program?The Red Flags Rule requires that each "financial institution" or "creditor"—which includes most securities firms—implement a written program to detect, prevent and mitigate identity theft in connection with the opening or maintenance of "covered accounts." These include consumer accounts that permit multiple payments ...
What are the red flags of identity theft?5 Identity Theft Areas under the Red Flags Rule
consumer reports. identification documents and information. address discrepancy notices. suspicious address changes, and.
What are the elements of an identity theft prevention program?The Program contains mechanisms to: identify and detect relevant Red Flags; respond appropriately to prevent Identity Theft and mitigate damages; and ensure that the Program is updated periodically to reflect changes in risks.
|