For companies that regularly extend credit, the need to establish an identity theft protection program is finally here. After almost two years of delay, the Red Flags Rule is now in force.
For readers of the Experian Decision Analytics blog, the Rule has been a familiar topic since passage. If you want to skip ahead to find out what you need to know, we’ve made it easy by boiling it down to three main things. (You’ll find the “3 Things Telcos Should Know About the Rule” towards the end.) However, some background might be helpful to better understand the issues behind the delay.
Discussion about Red Flags requirements first began when Congress passed the Fair and Accurate Credit Transactions Act in 2003, requiring the Federal Trade Commission to write and enforce the Rule as the nation’s consumer protection agency. The Red Flags Rule was actually enacted on Jan 1, 2008, but enforcement was delayed until December 31, 2010 to better clarify the terms of compliance and who had to follow them.
Why the Red Flags Rule matters
A “red flag” is something that signals possible identity theft, including any suspicious activity suggesting crooks might be using stolen information to establish service. The regulation now requires companies to develop a written “red flags program” to detect, prevent and minimize damage that could result from a security breach.
Establishing a Red Flags program
Companies that regularly extend credit or use consumer reports in connection with a credit transaction need to have a risk-based security program in place. The program must detail the process for detecting red flags, describe how to respond to prevent and mitigate identity theft, and spell out how to keep the program current.
Decision to delay: the definition of “creditor”
At the center of the FTC’s decision to delay enforcement was a broad definition Congress gave to the term “creditor.” The Rule broadly captured a number of non-financial companies (many of them small businesses) that didn’t know whether it applied to them, and if they did, didn’t have time or expertise to establish proper procedures to comply. And failure to comply could lead to costly fines or civil actions.
New Red Flags exemptions
To resolve the issue, Congress approved legislation providing exemptions for businesses that provide goods or services and then accept payment later. The bill redefines the term “creditor” to apply only to businesses that advance funds to, or on behalf of a customer, based upon an obligation to repay.
3 things telcos should know about the Red Flags Rule:
1. Telcos are covered by the Rule
For companies, like telcos, that obtain consumer reports, directly or indirectly, in connection with a credit transaction the requirement to comply hasn’t changed. In fact, under regulatory guidance, the FTC specifically lists telecommunications companies among those who need to comply.
2. Your company needs a written Red Flags program
The FTC Rule requires that organizations identify and address the “red flags” that could indicate identity theft and update the program periodically. The program must address certain “covered accounts,” which includes a consumer account with frequent transactions or those that have a risk of identity theft. An annual report must also be created for senior management or the board of directors.
3. How to comply is up to you
The good news is that the Rule doesn’t require any specific practice or procedures. Companies have the flexibility to tailor compliance programs to the nature of their business and the risks they face. The FTC will assess compliance based upon whether a company is taking “reasonable policies and procedures” to prevent identity theft.