New York State Close to Enacting UPMIF
Sept 7 '10
Health Care Reform and the Not-for-Profit
July 14 '10
Enforcement of Red Flags Rule Delayed Again
June 18 '10
Update on Medicaid Audit Work Plan
April 21 '10
IRS Form 990 Changes for 2009
March 23 '10
Department of Labor Registration for E-filing IRS Form 5500
Feb 26 '10
Lesser Known QuickBooks Shortcuts
Feb 19 '10
|
As many of you know, the “Red Flags Rule” (a component of the Fair and Accurate Credit Transactions Act) was written by the Federal Trade Commission (FTC) to develop a set of Rules mandating the detection, prevention and mitigation of identity theft. The Rule requires a business to take a risk-based view of their operations and identify where and how a thief could be fraudulently using someone else’s identity. The Rule was purposely written to cover virtually any company that does not require full payment up front, and defines a creditor as any business that allows a customer to defer payment. In short, if you send invoices, you are probably covered by this Rule.
The Rule envisions that businesses will identify potential identity theft through the use of red flags. A red flag might be a customer presenting suspicious credentials, multiple address changes in a short period of time or a notification from a credit reporting agency that the customer has placed a hold on his or her credit history. The Rule requires you to identify all of the indicators that might tip you off to possible identity theft, implement appropriate predictive and detective controls, and react appropriately.
The Red Flags Rule does not name specific types of businesses that must comply. Instead, compliance requirements are based on the types of accounts your business has with customers. The Rule is generally based on the existence of covered accounts. The first type of covered account is one that is “a continuing relationship established by a person with… a creditor to obtain a product or service for personal, family, household, or business purposes.” As an example, this definition can include not-for-profit organizations that allow people to pay dues or pledges in installments. Any other type of account where there is “reasonably foreseeable” chance of identity theft is also a covered account.
Remember, it is not the type of business you are, or the industry you are in --- it is whether you have or handle covered accounts.
Enforcement by the FTC of the “Red Flags Rule” was to have initially taken effect November 1, 2008, but has been delayed several times. Most recently, at the request of certain members of Congress, enforcement has been delayed until December 31, 2010 to allow Congress time to finalize legislation that would limit the scope of business covered by the Rule.
FTC staff has continued to provide guidance through participation in seminars and conferences and materials posted on www.ftc.gov/redflagsrule.
|