By Jeffrey Ziplow, MBA, CISA, CGEIT
Identity thieves, hackers or "Phisherman" are just different names for thieves that steal people's personal information to open new financial accounts or misuse existing accounts. If you are considered a financial institution or a creditor, you should be aware of a new rule that recently took effect on November 1, 2008, with enforcement that began on May 1, 2009 (FTC delayed enforcement for six months). It outlines steps to detect the warning signs of identity theft-and help protect your clients' accounts.
As part of the Fair and Accurate Transactions (FACT) act of 2003, the "Red Flags Rule" requires financial institutions and creditors to develop and implement a written Identity Theft Prevention Program (ITPP) to identify possible identity theft that mitigates the potential damage caused by this crime.
Are you a creditor?
While the Red Flags Rule doesn't target one specific business sector, in general, you're a creditor if your institution or business:
- Regularly provides or extends credit
- Regularly defers payment for goods and services
- Provides goods and services and then bills the customer later
Some examples of the types of companies that may be considered creditors under this new rule:
- Professional service organizations
- Healthcare institutions
- Utility companies
- Telecommunications companies
Any business that extends credit to another business is not automatically subject to the new rule since its accounts are not necessarily a threat to an individual's identity and does not place him or her at risk.
How to comply
While there's no police to enforce compliance for this type of identity theft program, it does provide financial institutions and creditors with a good business practice. To comply with the FTC's new Red Flags Rule, BlumShapiro suggests the following steps:
Step #1: Determine if you need to comply to the Red Flag Rule
Determine if you have one or more covered accounts. A "covered account" meets one or both of the following criteria:
- It is an account that your institution maintains for personal, family or household purposes that is designed to permit multiple payments or transactions.
- Any other account that presents a reasonable risk of identity theft.
Step #2: Comply with the rule
If your institution hascovered accounts, get familiar with the requirements of the Red Flag Rule and take steps to comply in order to protect your customer base from identity theft.
Step #3: Develop a written Identity Theft Prevention Program(ITPP)
Make sure it's approved by your board of directors and outlines who is responsible for updating and administering the plan.
The Red Flag Rules have been developed to protect the consumer from identity theft. This is one step in a series of "best business practices" that will help mitigate the loss of critical personal information.
To learn how BlumShapiro can help you develop an ITPP for your organization, contact Jeffrey Ziplow at (860) 561-6815 or by email at firstname.lastname@example.org.