Identity theft takes a massive toll on millions of Americans each year. It also has a devastating financial effect on the merchants and credit organizations who constantly struggle to avoid breaches and pay the costs involved in dealing with the aftermath of the successful ones. In order to help businesses detect and prevent this type of fraud, the Federal Trade Commission (FTC) has developed a set of comprehensive FTC red flag rules. Before your next compliance audit, you need to learn about these rules and be absolutely sure that your institution is implementing them in full.

What is The Red Flag Rule?

The FTC red flags rule is a set of strategies implemented by the federal government. Enforcement began on January 1, 2011. It requires online and brick-and-mortar merchants to establish written procedures to prevent and detect identity theft. To that end, the rule identifies certain “red flags” that often signal identity theft and provides steps for prevention and mitigation of these types of data breaches. Once the program has been implemented, it is incumbent upon the business to keep it updated. Furthermore, creditor organizations should hire a third-party auditor to do regular assessments in order to ensure that the organization remains in compliance with the standards.

Red Flag Categories

In order to provide businesses with a springboard of guidelines from which they can work, the FTC has come up with five categories of red flags. The five prescribed by the FTC include:

• Alerts, notifications, alarms or warnings from a consumer reporting agency;
• Documents that seem suspicious;
• Suspicious activity pertaining to a covered account;
• Suspicious personal information from a credit card payment customer;
• Notifications from law enforcement authorities, customers or other entities regarding suspected identity theft pertaining to a covered account.

This information is only a starting point, however. Companies should take their own individual industries and customers into consideration in coming up with additional categories for protecting sensitive identity data.

Setting Up a Red Flag Policy

As a way to guide companies and their management teams, the FTC has laid out four elements that are essential for any red flag program. They include the following:

• There should be a clear set of protocols and procedures that specify and identify the warning signs, suspicious behaviors and other indicators of potential identity theft that stakeholders should watch for.
• Guidelines should be in place and communicated to all stakeholders regarding how to spot any inconsistencies or deviations from existing practices that might signal identity theft.
• The document must clearly describe all of the corrective steps the organization will take if identity theft is discovered.
• The policy must specify how the business will keep its systems and practices up-to-date to guard against constantly evolving attack vectors.

Considering that ensuring the privacy and integrity of your customers’ account data is one of your company’s most important responsibilities, institutions like yours should take advantage of all resources and information available in order to comply with these vitally important rules.

The Necessity of Red Flag Compliance

The FTC has collaborated with several other entities, including federal bank regulating agencies and the National Credit Union Administration, to come up with the Fair and Accurate Credit Transactions Act of 2003. This law determines the penalties that companies who do not comply are subject to. Specifically, it is a maximum of $3,500 per infraction in civil fines and $11,000 per infraction per day in fines to the FTC. Needless to say, these charges can mount quickly and can put firms in financial peril.

Other Steps You Can Take For Red Flags Rule Compliance

Consumers’ data security and prevention of fraud require a multi-layered defense strategy. In addition to adhering to the above guidelines, vigilance requires some additional steps as well. 

These include the following:

• Train your staff to identify identity theft warning signs as well as the proper chain of command for reporting their concerns. This should happen whether a suspicious credit card transaction takes place in person or via your website.
• Limit access to accounts and files to only those people who need the relevant information. The tighter your security in this area, the less likely it is that breaches and other negative events will occur.
• Have comprehensive knowledge of all procedures involved in obtaining and verifying customer information, ensuring that there are no vulnerabilities. This will probably involve working with a third-party entity which also must have stringent threat prevention and detection strategies in place.
• According to the FTC red flags rule, certain administrative requirements must also be followed: Your plan must be approved by management; it must be evaluated periodically for effectiveness, and there must be policies and procedures in place that make it possible for stakeholders to follow the plan’s requirements.

If your company is a financial institution or a creditor and you have covered accounts as defined by the FTC red flags rule, you most likely need to comply with this statute. If you need additional guidance, you should consult with your company’s legal team or enlist the services of a third-party consultant. It is best to get answers to these questions as soon as possible since your customers’ information is too important to put at risk.