Red Flags Rule Resources
RECENT NEWS:
Troutman Sanders LLP provides timely updates in regards to Red Flags Rule to inform you of recent changes in the law, upcoming regulatory deadlines or significant judicial opinions that may impact your business.
Click here to sign-up for future updates.
FTC Red Flags Rule: 401(k) Plan Guidance Based on Participant Loans, August 28, 2009
FTC to Delay Enforcement of Red Flags Rule Until November 1, 2009, July 30, 2009
FTC Issues Red Flags Rule FAQs, June 19, 2009
FTC Issues "Fighting Fraud with the Red Flags Rule: A How-To Guide for Business", May 15, 2009
FTC to Delay Enforcement of Red Flags Rule Until August 1, 2009, May 6, 2009
FTC Issues Guidance on Red Flags Rule to Utility Companies, April 20, 2009
Red Flags Rule "Enforcement Begins May 1, 2009", April 1, 2009
What is the Red Flags Rule?
The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs – or “red flags” – of identity theft in their day-to-day operations, take steps to prevent the crime, and mitigate the damage identity theft inflicts. The FTC has explained that by identifying red flags in advance, businesses will be better equipped to spot suspicious patterns when they arise and take steps to prevent a red flag from escalating into an actual incident of identity theft.
Which agencies issued the Red Flags Rule?
The Rule was promulgated jointly by the Federal Trade Commission, federal bank regulatory agencies (including the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the FDIC, the Office of Thrift Supervision) and the National Credit Union Administration, pursuant to authority granted by the Fair and Accurate Credit Transactions (“FACT”) Act of 2003 which amended the Fair Credit Reporting Act (“FCRA”).
What are some “Red Flags” of identity theft?
The Red Flags Rule lists five major categories of red flags, which include:
- Alerts, notifications or warnings from a consumer reporting agency;
- Suspicious documents;
- Suspicious personal identifying information;
- Unusual use of, or suspicious activity related to, the covered account; and
- Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the financial institution or creditor
Who must comply with the Red Flags Rule?
The Red Flags Rule applies to “financial institutions” and “creditors” that offer or maintain “covered accounts.”
What is the deadline for compliance?
Financial institutions regulated by the federal bank regulatory agencies were required to have an identity theft prevention program in place by November 1, 2008. Other entities subject to the Red Flags Rule must have a program in place by August 1, 2009.
What steps must be taken to comply?
Every business should take seven essential steps to develop a compliant Red Flags Program:
- Step 1: Appoint a Red Flags Manager
- Step 2: Conduct a Risk Assessment
- Step 3: Create the Red Flags Program
- Step 4: Have the Board/Committee Approve the Red Flags Program
- Step 5: Train Appropriate Personnel
- Step 6: Keep the Red Flag Program Up-to-Date
- Step 7: Periodically Report to the Board of Directors
Representative Red Flags Rule Engagements
The attorneys at Troutman Sanders have extensive experience in advising businesses in a variety of industries (including banking and financial institution, utility, telecommunication healthcare and local government entities) on Red Flags Rule issues, including:
- Drafting Red Flags Rule policies;
- Assisting businesses in calculating risk assessment of their unique warning signs and actual experiences of identity theft;
- Overseeing a company’s Red Flags Rule program;
- Assisting in training of officers and employees on Red Flags Rule issues; and
- Advising businesses in Red Flags Rule compliance issues including analysis of FTC guidance on the Red Flags Rule.
Speaking Engagements
- Troutman Sanders Privacy Seminar, "Fighting Identity Theft: The Red Flags Rule," May 14, 2009
- Troutman Sanders and KPMG, "FACTA Compliance: Identity Theft Red Flags and Address Discrepancies," January 21, 2009
- Troutman Sanders Healthcare Seminar Teleconference, "Red Flags or Red Herring: How to Develop and Implement an Identity Theft Protection Program," October, 17, 2008
Publications
- Anthony, David N., Whaley, Erin S., Fitzgerald, Paige S., “Red Flags Rule Protects Patients: FTC Rule on Identity Theft Impacts Providers,” Coding Edge, February 2009
- Anthony, David N. & Matt Kirsner, “Red Flag or Red Herring: How to Develop and Implement an Identity Theft Protection Program,” Aug. 20, 2008