Red Flag Rules Are Part of What Federal Law

The development and implementation of an effective “red flag” detection system is critical to the success of an identity theft prevention program. For example, if you regularly check the ID documents for certain transactions, an ID that appears to be fake is considered a “red flag” for your business, and so it is absolutely essential to have the procedures in place to detect potential forms of falsified, falsified or altered identification. The rule recognizes that new red flags will appear as technology changes or identity thieves change tactics, and requires regular updates to your program. Consider your own experience with identity theft; changes in the way identity thieves work; new methods to detect, prevent and mitigate identity theft; changes to the accounts you propose; and changes in your business, such as mergers, acquisitions, alliances, joint ventures, and agreements with service providers. Section 681.1 of this Part requires every financial institution and creditor that offers or maintains one or more covered accounts as defined in section 681.1(b)(3) of this Part to develop and maintain a written program to detect, prevent and mitigate identity theft related to the opening of an existing covered account or covered account. These guidelines are intended to assist financial institutions and creditors in formulating and maintaining a program that meets the requirements of section 681.1 of this Part. The SEC`s identity theft rules require certain SEC-regulated firms to implement a written identity theft program that includes policies and procedures that include: For each red flag identified, a company must then set up a system to recognize these red flags when they occur. Here are the very general requirements for detecting red flags: Common categories of red flags. Supplement A to the Warning Signs Rule lists certain categories of warning signs that you should include in your program.

The examples presented here are a way to think about the relevant red flags in the context of your own business. In 2003, Congress amended the Fair Credit Reporting Act (“FCRA”) to require the Federal Trade Commission (“FTC”) and certain other federal agencies (collectively, the “Agencies”) to jointly adopt rules and guidelines for identity theft. At that time, the FCRA did not require or authorize the Securities and Exchange Commission (“SEC”) or the Commodity Futures Trading Commission (“CFTC”) to adopt these rules. Instead, the FTC had the authority to enact and enforce these rules with respect to entities regulated by the SEC and CFTC. The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 amended the FCRA to transfer responsibility for establishing identity theft regulations and enforcement powers over SEC and CFTC-regulated companies to the SEC and CFTC. 1 Red Flags Rule was established in 2007 pursuant to Section 114 of the Fair and Accurate Credit Transactions Act of 2003 (the FACT Act), Pub. L. 108-159, amending the Fair Credit Reporting Act (FCRA), 15 U.S.C. 1681m(e). The Red Flag Rule was published on 16 C.F.R.

` 681.1. See also 72 Reg. Fed., pp. 63-771 (November 9, 2007). For the full text, see www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf. Preamble B pages 63,718-63,733 — deals with the object, intention and scope of the rule. The text of the FTC rule can be found at pages 63.771 to 63.774. The rule contains Guideline B, Appendix A, pages 63.773 to 63.774, designed to assist organizations in developing and maintaining a compliance program. The supplement to the guidelines – page 63.774 – contains a list of examples of red flags that businesses and organizations should include in their programs.

This guide does not address companies` obligations under the Address or Card Issuer Divergence Rule, which are also included in the Federal Register with the Red Flags Rule. An SEC-regulated company is generally considered a financial institution if it holds an individual`s transaction account. An account may be a transactional account (and therefore the company holding the account may be considered a financial institution) if the individual account holder can personally make payments or transfers of money from his or her account to third parties or order the SEC-regulated entity to make such payments or transfers to third parties.