By Jeffrey Ziplow, MBA, CISA, CGEIT 

Identity thieves, hackers or "Phisherman" are just different names for thieves that steal people's personal information to open new financial accounts or misuse existing accounts. If you are considered a financial institution or a creditor, you should be aware of a new rule that recently took effect on November 1, 2008, with enforcement that began on May 1, 2009 (FTC delayed enforcement for six months). It outlines steps to detect the warning signs of identity theft-and help protect your clients' accounts. 

As part of the Fair and Accurate Transactions (FACT) act of 2003, the "Red Flags Rule" requires financial institutions and creditors to develop and implement a written Identity Theft Prevention Program (ITPP) to identify possible identity theft that mitigates the potential damage caused by this crime.

Are you a creditor?

While the Red Flags Rule doesn't target one specific business sector, in general, you're a creditor if your institution or business:

  • Regularly provides or extends credit
  • Regularly defers payment for goods and services
  • Provides goods and services and then bills the customer later

Some examples of the types of companies that may be considered creditors under this new rule:

  • Professional service organizations
  • Healthcare institutions
  • Utility companies 
  • Telecommunications companies

Any business that extends credit to another business is not automatically subject to the new rule since its accounts are not necessarily a threat to an individual's identity and does not place him or her at risk. 

How to comply

While there's no police to enforce compliance for this type of identity theft program, it does provide financial institutions and creditors with a good business practice.  To comply with the FTC's new Red Flags Rule, BlumShapiro suggests the following steps:

Step #1:  Determine if you need to comply to the Red Flag Rule

Determine if you have one or more covered accounts. A "covered account" meets one or both of the following criteria:

  • It is an account that your institution maintains for personal, family or household purposes that is designed to permit multiple payments or transactions.
  • Any other account that presents a reasonable risk of identity theft.

Step #2: Comply with the rule

If your institution hascovered accounts, get familiar with the requirements of the Red Flag Rule and take steps to comply in order to protect your customer base from identity theft.

Step #3: Develop a written Identity Theft Prevention Program(ITPP)

Make sure it's approved by your board of directors and outlines who is responsible for updating and administering the plan.

The Red Flag Rules have been developed to protect the consumer from identity theft. This is one step in a series of "best business practices" that will help mitigate the loss of critical personal information.

To learn how BlumShapiro can help you develop an ITPP for your organization, contact Jeffrey Ziplow at (860) 561-6815 or by email at 

Litigation Support Services

Advisors | Auditors | Consultants | CPAs – BlumShapiro is one of the premier consulting firms in New England and a Top 100 CPA Firm in the U.S. Our professionals serve companies in Boston (MA), Hartford (CT), Cranston (RI), Shelton (CT) and Quincy (MA) with technology consulting, business valuations, litigation support, project management, process & controls and bankruptcy consulting services. We are a Intacct Partner offering accounting software including Cloud ERP solutions. Learn more about our City of the Future offerings.