Greetings to those of you who joined us on the Agiliance webinar. Jim mentioned the Basic FTC Red Flags Checklist that we have created for you Read More
The Archives
Browse the content below to find what you're looking for.
Agiliance Webinar Visitors – Red Flags Checklist
Thursday, August 6th, 2009Red Flags Delayed (Again)
Wednesday, July 29th, 2009The FTC has given creditors an extension to the August 1 deadline for Red Flags compliance. The (latest) updated deadline is November 1st. Here’s what this means for you Read More
FTC Red Flags Primer (Screen Cast)
Wednesday, July 29th, 2009As Red Flags goes into effect August 1 (the banking deadline was Nov 1 08), we have had a number of requests to provide a primer to brink folks up to speed as many covered entities are no where close to ready for Red Flags. On August 6th, we will be presenting a live overview “FTC Red Flags, Are You Ready?” with Agiliance and Novell. Register now for that event.
The FTC Red Flags Rule defines how certain businesses and organizations must develop, implement, and administer their Identity Theft Prevention Programs. Your Program must include four basic elements, which together create a framework to address the threat of Identity theft.
Join us for this timely pre-recorded event to understand Red Flags and how to comply with this new FTC Rule. Find out the deadlines, the penalties, and the cost of non-compliance.
Our compliance practice lead will help you prepare for Red Flags by discussing these key topics:
- What is FTC Red Flags and who needs to comply
- What are the deadlines and what defines ‘being compliant’
- What are the four basic elements and key objectives of FTC Red Flags
- What are best practices to maintain Red Flags Compliance
Mass. 201 CMR 17 Updates
Monday, May 4th, 2009In short: At this point, your 201 CMR 17 compliance plan should be added to your compliance program, your technical controls deployed (encryption, firewalls, etc.) and you need to select an independent 3rd party to conduct your audit.
Issued in September, the regulations require that businesses encrypt documents sent over the Internet or saved on laptops or flash drives, encrypt wirelessly transmitted data, and deploy up-to-date firewalls to create “an electronic gatekeeper” between the data and the outside world that only allows authorized users to access or transmit data.
Under the new deadline structure:
- The general compliance deadline for 201 CMR 17.00 is extended to May 1. The date is consistent with a new FTC Red Flag Rule requiring financial institutions and creditors to develop and implement written identity theft prevention programs.
- Third-party service providers now have until May 1 to prove they are capable of protecting personal information and are contractually obligated to do so. Meantime, the deadline for requiring written certification from third-party providers will be further extended to Jan. 1, 2010.
- The deadline to encrypt all laptops will be extended from Jan. 1 to May 1, and the deadline to encrypt other portable devices will be further extended to Jan. 1, 2010
‘Red Flag’ Requirements for Financial Institutions and Creditors
Thursday, September 4th, 2008FTC and NCUA release Red Flags Rules. Deadline: May 1, 2009. Applies to “financial institutions” and “creditors” with “covered accounts”. May extend to other industries.
The Federal Trade Commission (FTC), the federal bank regulatory agencies, and the National Credit Union Administration (NCUA) have issued regulations (the Red Flags Rules) requiring financial institutions and creditors to develop and implement written identity theft prevention programs, as part of Section 114 and 315 of the FACTA (Fair and Accurate Credit Transactions Act of 2003). These sections, also known as the Red Flag Rules, require that all financial institutions, and creditors that hold any customer transaction accounts, offer basic, complimentary identity theft protection to all new and existing account holders within their portfolios. The programs must be in place by November 1, 2008. Affected institutions must provide for the identification, detection and response to “red flags” that could indicate identity theft.
Who must comply with the Red Flags Rules?
The Red Flags Rules apply to “financial institutions” and “creditors” with “covered accounts.”
Under the Rules, a financial institution is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a “transaction account” belonging to a consumer. Most of these institutions are regulated by the Federal bank regulatory agencies and the NCUA. Financial institutions under the FTC’s jurisdiction include state-chartered credit unions and certain other entities that hold consumer transaction accounts.
A transaction account is a deposit or other account from which the owner makes payments or transfers. Transaction accounts include checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.
A creditor is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. Creditors include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Where non-profit and government entities defer payment for goods or services, they, too, are to be considered creditors. Most creditors, except for those regulated by the Federal bank regulatory agencies and the NCUA, come under the jurisdiction of the FTC.
A covered account is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. A covered account is also an account for which there is a foreseeable risk of identity theft – for example, small business or sole proprietorship accounts.
Complying with the Red Flags Rules
Under the Red Flags Rules, financial institutions and creditors must develop a written program that identifies and detects the relevant warning signs – or “red flags” – of identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. The program must be managed by the Board of Directors or senior employees of the financial institution or creditor, include appropriate staff training, and provide for oversight of any service providers.
How flexible are the Red Flags Rules?
The Red Flags Rules provide all financial institutions and creditors the opportunity to design and implement a program that is appropriate to their size and complexity, as well as the nature of their operations. A supplement to the FTC Guidelines identifies 26 possible red flags. These red flags are not a checklist, but rather, are examples that financial institutions and creditors may want to use as a starting point. They fall into five categories:
- alerts, notifications, or warnings from a consumer reporting agency;
- suspicious documents;
- suspicious personally identifying information, such as a suspicious address;
- unusual use of – or suspicious activity relating to – a covered account; and
- notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts.
Receive Insight* Updates
What Do You Think?