Are you ready for the new Red Flags Rule? If you extend credit to your customers, then you are likely to need to comply by June 1, 2010.
The Rule was promulgated under the Fair and Accurate Credit Transactions Act, in which Congress directed the Federal Trade Commission to develop regulations requiring “creditors” and “financial institutions” to address the risk of identity theft. The resulting Red Flags Rule requires all covered entities that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.
MARPA members that extend credit to their customers for the purchase of aircraft parts are creating “accounts,” as that term is defined by the FTC. 16 C.F.R. § 681.2(b)(1)(i). If there is a reasonably foreseeable risk of identity theft then this is considered to be a “covered account.” 16 C.F.R. § 681.2(b)(3)(ii). MARPA members with one or more covered accounts must develop a written identity theft program. 16 C.F.R. § 681.2(d).
The Commission staff has continued to provide guidance on this Rule to the public. It has useful guidance on its dedicated “Red Flags Rule” website (www.ftc.gov/redflagsrule). On that website, you will see that the FTC has published a compliance guide for business, and created a template that enables low risk entities to create an identity theft program with an easy-to-use online form. There are also answers to frequently asked questions.A company’s Identity Theft Red Flags Program must include reasonable policies and procedures that accomplish the following goals:
Identify relevant Red Flags for the covered accounts that the company offers or maintains, and incorporate those Red Flags into its Program;
Detect Red Flags that have been incorporated into the company’s Program;
Respond appropriately to any Red Flags that are detected, to prevent and mitigate identity theft; and
Ensure the Program (including the Red Flags determined to be relevant) is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the company from identity theft.
The rules were originally scheduled to become effective in 2008, but extensions has pushed back the compliance date to June 1, 2010.