EisnerAmper LLC, financial services accountants, issued an update on the FTC's Red Flags Rule on Identity Theft that's scheduled to go in effect on 1/1/11.  The rule, developed under the Fair and Accurate Credit Transactions Act, was last postponed at the 11th hour in May 2010, supposedly to allow Congress time to fix certain unintended consequences of the legislation.

The Rule will require for-profit and not-for-profit “financial institutions” and “creditors” to develop and implement a written Identity Theft Prevention Program to help detect and respond to warning signs – i.e., “red flags” – that could indicate identity theft.

Here's the meat of EisnerAmper's date, followed by a reprint of a related story that appeared in C-I's RULE News on 6/1/10.

    This from EisnerAmper.   It is important for executives to consider the implications of the Rule on their operations and business processes.  Of particular relevance is how the Rule defines the term “creditor” – broadly including entities that regularly provide goods or services first, but allow customers to pay later.  With exceptions, an organization that has “covered accounts” – consumer accounts that permit multiple payments or transactions for purchased goods or services, or any other accounts at risk from identify theft – is expected to comply with the Rule.  Among the organizations that may fall within this definition are retailers and distributors; health care providers, lawyers, accountants, and other professionals; and other businesses that regularly defer payments or grant payment terms.  Understandably, many such organizations do not normally consider themselves as “creditors,” but even so may need to comply with the Rule’s provisions.

    Fortunately, the Rule provides flexibility allowing an organization to design and adopt an Identity Theft Prevention Program that is commensurate with its particular risks of identity theft.  However, the Program must (1) define the specific “red flags” that may be encountered in its day-to-day operations (for example, suspicious or potentially fraudulent customer identification, or customer claims of identity compromise); (2) set forth reasonable policies and procedures designed to detect those red flags, such as procedures incorporating mandatory steps for verifying/authenticating a person’s identity; (3) delineate specific response actions to be initiated should a red flag be detected; and (4) provide a means for periodic Program re-evaluation.

    Presently, the FTC does not conduct routine compliance audits, but may in the future conduct investigations and, if warranted, seek both monetary civil penalties and injunctive relief for violations of the Rule.  Nonetheless, whether organizations may be affected by the Rule or not, they should consider adopting Red Flag principles and have in place a workable Identity Theft Prevention Program to combat the financial, operational, and reputational risks of identity theft.  The enforcement “reprieve” by the FTC provides a timely opportunity to those seeking to implement a Program by year end.  

To access the original story, click onto:   [ EisnerAmper News, 10/15 ].

^{++++++++++++++++++++++++++++++++++++++++++++++}

C-I Reprint from RULE News, 6/1/10:   "FTC Does It Again - Delays Red Flags Rule"