Red Flag Rule

Red Flag Rules - History

At the end of 2007, the Federal Trade Commission (FTC) and five federal bank regulatory agencies (FDIC, OCC, Federal Reserve, OTS and NCUA) jointly issued the final rules and guidelines implementing sections 114 and 315 of the Fair and Accurate Credit Transactions Act (FACT Act). Under these regulations, the “Red Flag Rule” was adopted which requires the development, implementation, and maintenance of an Identity Theft Prevention Program by covered companies that hold any customer accounts. These requirements were effective January 1, 2008 with a mandatory compliance date of November 1, 2008. On April 30, 2009, the Federal Trade Commission (FTC) announced that it would delay enforcing the FACTA “Red Flags Rule” until August 1, 2009, marking the second extension of the original deadline. This date was then extended to November 1, 2009.  Companies scrambling to meet a Nov. 1 enforcement deadline for the Federal Trade Commission’s Red Flags Rule have gotten another reprieve. Bowing to pressure from some members of Congress, the commission pushed the deadline to June 1, 2010.

Who must comply with the Red Flags Rules?

The Red Flags Rules apply to “financial institutions” and “creditors” with “covered accounts.”  Under the Rules, a financial institution is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a “transaction account” belonging to a consumer. Most of these institutions are regulated by the Federal bank regulatory agencies and the NCUA. Financial institutions under the FTC’s jurisdiction include state-chartered credit unions and certain other entities that hold consumer transaction accounts.

A transaction account is a deposit or other account from which the owner makes payments or transfers. Transaction accounts include checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.

A creditor is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. Creditors include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies.

A covered account is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. A covered account is also an account for which there is a foreseeable risk of identity theft – for example, small business or sole proprietorship accounts.

Scope of the Red Flag Rule

The Red Flag Rule requires all financial institutions and creditors to implement an Identity Theft Prevention Program to detect, prevent and mitigate identify theft for covered accounts. The Program must be documented and updated periodically. Updates must reflect changes in risks to customers or to the safety and soundness of the financial institution or creditor from identity theft. The Program must also have the approval of the Board of Directors or a designated Senior Management employee. The Board of Directors shall also have supervision of the implementation of the Program as well as training of the staff and oversight of service providers.

The four general elements that the Program must contain are “reasonable policies and procedures” to:

• Identify and incorporate Red Flags for covered accounts
• Detect Red Flags that are included in the Program
• Respond to those Red Flags appropriately
• Update the Program periodically to reflect the risk to the customer or to the safety of the financial institution or creditor from identify theft.

How TBG Can Help

While many financial institutions and creditors have put processes in place to deal with identify theft, the overwhelming majority have not. The Red Flag Rule is now mandating that such processes be formalized into an Identity Theft Prevention Program to detect, prevent and mitigate identify theft for covered accounts.

A holistic approach to information security can help to integrate compliance efforts with business objectives to efficiently focus resources on IT governance and threat management. Working as either a full service consultant, or as an adjunct to your in-house business & security team TBG will execute a three phase compliance readiness process to insure that your business meets or exceeds their compliance requirements.  TBG Security Compliance Services practice delivers a full range of assessment, remediation, implementation, certification and education services to help organizations of all sizes establish and improve compliance. We work closely with our clients to help determine if they are in compliance with the regulations and standards, document that compliance and improve security best practices. TBG Security’s deep experience in information security and the compliance requirements allows us to be a Trusted Security Advisor, providing ongoing support for all your compliance initiatives.

For more information on how TBG Security can help your organization reach Red Flag compliance contact our .(JavaScript must be enabled to view this email address) or call us directly at 877.233.6651 ext 704.