Red Flags Rule Identity Theft Prevention Program

Summary

This identity theft program template is used to comply with the Federal Trade Commission's (FTC's) Red Flags Rule. 16 C.F.R. § 681.1. The Red Flags Rule requires financial institutions and creditors who offer or maintain at least one covered account to implement certain policies and procedures into an identity theft program. This template includes practical guidance and drafting notes. Red flags are events that should alert you that there is a risk of identity theft, a fraud committed or attempted using an individual's identifying information. Covered accounts are: • Credit accounts (i.e., a new or current consumer account that permits multiple or deferred payments or transactions) with deferred payments –or– • Other accounts for which there is a heightened risk of identity theft (e.g., single transaction, one-time payment accounts, or records that may be vulnerable to identity theft because personal identifying information is collected and retained). The following transactions are NOT covered accounts under the Red Flags Rule: • Full payment is collected at the time of service and no identifying information is retained. • A credit card is accepted to make payment in full at the time of service and no identifying information is retained. • You are the buyer or receiver of the service; for example, payments you make for office supplies, to rent an outside facility, or for travel expenses. As you draft your program, keep in mind the main objective—to create an effective framework to reduce identity theft for your covered accounts. To do so, the Red Flags Rule requires your program to include the following four components: 1. Identify Red Flags. Prepare policies and procedures to identify red flags that may occur in your day-to-day operations. For example, if a customer has to provide identification to open an account, an ID that does not look genuine is a red flag. 2. Detect Red Flags. Your Program must be designed to detect the red flags you have identified. If you have identified fake IDs as a red flag, for example, you must create procedures to detect possible fake, forged, or altered identification. 3. Respond to Red Flags. Determine how you will respond to the identified red flags. For example, your employee checked a photo ID and detected an inconsistency. The response may be to request another form of identification or withhold products or services until the inconsistency can be resolved. Examples that may apply include: determine that no response is warranted (inconsistencies are adequately explained), contact the applicant, change account passwords or other access devices, notify law enforcement. 4. Annual Review. Conduct an annual review of your Program and also identify events that occur during the year which require changes to keep the Program current and reflect new threats of identity theft. Rule: 16 C.F.R. §681.1(e) Being aware of the requirements of the Red Flags Rule and its application is an essential first step toward compliance. However, having a written program will not, by itself, reduce the risk of identity theft. This Form includes procedures to integrate into the Company's daily operations. The best practice is to collect and retain as little information as necessary to complete any transaction in order to avoid the risk of exposure. For example, when collecting registration fees for a special event do not retain a copy of the check if all you need is a record indicating the amount of the payment collected. For more practical guidance on identity theft, see Identity Theft Overview (Federal), Identity Theft State Law Survey, Red Flags Rule Identification and Detection Grid and Red Flags Rule Detection of Identity Theft Reporting Form. For more information on the FTC's Red Flags Rule, see Modern Privacy & Surveillance Law 2.45. Additoinal FTC regulations can be found at 17 C.F.R. § 248.201.