Identity Theft Policies for Businesses
The Federal Trade Commission (FTC) has revised and clarified its “Red Flags Rule” to help covered businesses comply with requirements for preventing and responding to identity theft directed at their customers. The Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs (or “red flags”) of identity theft in their day-to-day operations.
The ultimate goal is to make businesses better able to spot suspicious patterns that may arise and to thwart identity theft. Obviously this is good for customer relations, but it also may avoid the necessity for the stressful and costly process of cleaning up the mess once thieves have struck.
The FTC describes an Identity Theft Prevention Program as a “playbook” that must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft. With such a program in place, an organization should be able to (1) identify relevant patterns, practices, and specific forms of activity–the “red flags”–that signal possible identity theft; (2) incorporate business practices to detect red flags; (3) detail appropriate responses to any uncovered red flags, to prevent and mitigate identity theft; and (4) update the program periodically to reflect changes in risks from identity theft.
The Red Flags Rule includes guidelines to help financial institutions and creditors develop and implement a program, including a supplement that offers examples of red flags.
Some general categories of red flags are notifications or warnings from a consumer reporting agency or from the customer himself; suspicious-looking documents or personal identifying information; and unusual use of, or suspicious activity related to, a covered account. The FTC and the federal financial agencies also have issued Frequently Asked Questions and answers to help businesses comply with the Rule.
The Rule requires “financial institutions” and “creditors” that hold consumer accounts designed to permit multiple payments or transactions–or any other account for which there is a reasonably foreseeable risk of identity theft–to develop and implement an Identity Theft Prevention Program for new and existing accounts. The definition of “financial institution” includes all banks, savings associations, and credit unions, regardless of whether they hold a transaction account belonging to a consumer; and anyone else who directly or indirectly holds a transaction account belonging to a consumer.
A 2010 change in the law amended the definition of “creditor” and limits the circumstances under which creditors are covered. The previous definition of “creditor” was so broad in its language and interpretation that it swept too many within the Rule’s reach.
The new law covers creditors who regularly, and in the ordinary course of business, meet one of three general criteria. They must (1) obtain or use consumer reports in connection with a credit transaction; (2) furnish information to consumer reporting agencies in connection with a credit transaction; or (3) advance funds to, or on behalf of, someone, except for funds for expenses incidental to a service provided by the creditor to that person.