Share
Twitter Facebook LinkedIn
Delicous Stumble Digg
More...
Home Email This page Print Bookmark

Legal Alert: Is Your Company Complying with the "Red Flags" Rule?

Print PDF
May 12, 2010

Every year identity theft costs businesses millions of dollars.  As you may be aware, the recently adopted Red Flags Rule requires a broad range of businesses and organizations to implement written Identity Theft Prevention Programs designed to detect warning signs — or “red flags” — of identity theft in their day-to-day operations, take steps to prevent the crime of identity theft, and mitigate the damage it inflicts.  If your company is a financial institution or you regularly allow customers to pay for goods or services after receipt of such goods and services, you may be subject to the Red Flags Rule.

According to the FTC, the Red Flags Rule is likely to impact more than 11 million businesses and organizations across a wide variety of industries, in particular those businesses that provide goods and services that are used generally for personal, family, and household purposes.  The FTC is scheduled to begin enforcing the Red Flags Rule on June 1, 2010.  Therefore, it is imperative that your company immediately assesses whether it is subject to the Rule.

Who is Affected:  The Red Flags Rule applies to “financial institutions” and “creditors” that offer or maintain one or more “covered accounts.”  In addition, companies that provide services to financial institutions or creditors may be indirectly impacted by the Red Flags Rule. 

As defined by the Rule, “financial institutions” are banks, savings and loan associations, credit unions, and any other entity that holds a deposit or other account that allows for payments or transfers of funds to third parties. 

The term “creditor” is defined broadly to include any entity that regularly extends, renews or continues credit, as well as any entity that regularly arranges for the extension, renewal, or continuation of credit.  Thus, the term creditor encompasses a wide variety of businesses and organizations such as finance companies, automobile dealers, schools, mortgage brokers, retailers, utility and telecommunications companies, certain debt collectors, and professional service providers such as accountants, dentists, veterinarians, and doctors. 

If your company is a financial institution or you regularly extend credit or arrange for the extension of credit, the next step to evaluate if you are subject to the Rule is to determine if you offer or maintain “covered accounts.”  Covered accounts are accounts used primarily for personal, family, or household purposes that involve multiple payments or transactions, such as credit card accounts, mortgage loans, car loans, utility accounts, and checking or savings accounts, as well as accounts for which there is a foreseeable risk of identity theft, such as small business or sole proprietorship accounts.  If your business is a financial institution or creditor and you offer or maintain one or more covered accounts, you must comply with the Red Flags Rule.

What is Required:  Companies subject to the Red Flags Rule must design and implement a written Identity Theft Prevention Program (a “Program”) that is intended to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account.

If your company is covered by the Red Flags Rule, your Identity Theft Prevention Program must be in place by June 1, 2010.  While every Identity Theft Prevention Program must have four essential features and be adopted by the company’s board of directors, each Program must be uniquely tailored to the company’s size, complexity, and the nature and scope of its operations. 

Impact of the Red Flags Rule on Service Providers:  Your company also may  be impacted by the Red Flags Rule if you do business with a financial institution or creditor that offers or maintains “covered accounts.”  The Red Flags Rule requires financial institutions and creditors to exercise effective and appropriate oversight of service providers.  If your company provides services to a entity subject to the Red Flags Rule you will likely be asked to demonstrate that you have reasonable policies and procedures designed to detect, prevent, and mitigate identity theft.  In some cases, service providers may even be asked to enter in a written contract certifying compliance with the Red Flags Rule.

Due to the broad scope of the Red Flags Rule, companies across all industries need to assess whether they are subject to or impacted by the Red Flags Rule.  If you have questions regarding whether your company is subject to or may be impacted by the Red Flags Rule, what is required to comply with the Rule, or if you need assistance in designing or implementing a Program, please feel free to contact us.

D. Brock Denton
(513) 579-6456
ddenton@kmklaw.com

Jonathan M. Hiltz
(513) 562-1423
jhiltz@kmklaw.com

Julie T. Muething
(513) 639-3870
jmuething@kmklaw.com

KMK Legal Alerts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client nor any particular situation.  Please consult with counsel of your choice regarding any specific questions you may have.

ADVERTISING MATERIAL.

©2010 Keating Muething & Klekamp PLL.  All Rights Reserved.

Related Attorneys
Related Practices
Full Site  |  Home  |  Site Map  |  Disclaimer  |  Privacy Policy  |  © 2012, Keating Muething & Klekamp PLL  |  Site by Firmseek
Client Extranet  |  Receive Updates