Upon completion of this Case Study, participants should:
Identity Theft has been an ongoing problem in the United States for some time, with new cases increasing every year. The Federal Trade Commission (FTC) estimates nine million Americans will have their identities stolen this year. This current problem creates major issues for small and mid-sized businesses and organizations, bringing unexpected costs, litigation and lawyer fees. In some cases, criminal charges follow.
People do not always realize the risk associated with a government investigation or the power the investigators hold. Government agencies will investigate wrongdoings, intentional or not. Business owners and leaders who do not view themselves as being “criminals” frequently find themselves being accused of white-collar crimes. This case study profiles FTC “Red Flags Rule” and offers suggestions on how to properly follow the law and stay out of trouble.
The FTC Red Flags Rulerequires businesses and organizations to implement a written identity theft prevention program. The agency designed this program:
According to the FTC, a Red Flags Rule program must include four basic elements that create a framework to deal with the threat of identity theft. A Red Flags Rule program must:
Securing data that a business collects and maintains about customers can reduce Identity Theft. The Red Flags Rule seeks to prevent Identity Theft. It requires a business or organization to stay on the lookout for the signs that someone may be using someone else’s information. Typically, thieves steal identifies to obtain products or services illegally.
In accordance with FTC guidance, we recommend a two-pronged approach in the battle against Identity Theft:
The FTC has been clear that the agency expects and organized and well-defined Identity Theft program. The agency would like to see a written program that is integral to daily operations of the business. The Rule should be appropriate to a business’ size and its potential risk to Identity Theft. Larger businesses and organizations will need a more comprehensive written program to address a high risk of Identity Theft.
The Red Flags Rule requires “financial institutions” and some “creditors” to conduct a periodic risk assessment to determine if they have “covered accounts.”
The FTC will determine “covered accounts” in accordance with relevant definitions. The FTC uses the federal statutory definition from the Equal Credit Opportunity Act (ECOA). In layman terms, the term “creditor” relates to deferring payment from a customer for goods or services over a set period of time.
The FTC has provided the below step-by-step guide to assess whether a business qualifies as a creditor under the Red Flags Rule. Leaders should ask the following questions:
Does my business or organization regularly:
If you answer:
Does my business or organization regularly in the ordinary course of business:
If you answer:
If a business or organization acts as a “creditor” as defined by the FTC, the business must determine if it maintains any “covered accounts.”
To determine whether “covered accounts” apply, leaders must assess existing andnew accounts:
If the analysis shows the business does not have any “covered accounts,” the business does not need a written Red Flags Rule program.
Click the quiz below to get started
• Fighting Identity Theft with the Red Flags Rule: A How-To Guide for Business | Federal Trade Commission (ftc.gov)