Update on Red Flags Rule

(Editor's Note: The Alabama Society of CPAs sent letters to Federal Trade Commission Chairman Jon Leibowitz and Alabama's U.S. Senate and House of Representatives delegation last Tuesday, August 4, asking for the FTC to exempt CPAs from certain provisions of its Red Flags Rule to prevent identy theft. Read the AICPA's Journal of Accountancy for more information.) 

Approximately 2 million entities will have to comply with FACTA Red Flags Rule by November 1, 2009.

Regardless of the federal laws that may affect a business, if a business extends credit or bills out for services or products, and is not paid when products or services are rendered, the Federal Government is requiring businesses to have an Identity Theft Program in place.

Ask yourself these questions:

1. Do you offer products and services to consumers or other businesses?

2. Do you bill out or extend credit for products and services?

Answering YES to these questions means that you must:

  • Perform a risk assessment
  • Identify all covered accounts
  • Identify relevant red flags that may signal identity theft
  • Implement appropriate detection and response procedures
  • Develop a written Identity Theft Prevention Program
  • Obtain board of directors approval for the Program
  • Appoint in writing a Security Compliance Officer to oversee the program
  • Train and educate staff on Identity Theft
  • Have a plan in place to mitigate damages in case of a breach
  • Oversee that “shared information” with vendors or suppliers is protected as well

Not only are credit card companies and financial institutions subject to these rules, but any company that regularly extends or merely arranges for the extension of credit is also subject to the Red Flags ule.

Examples of companies that bill out are: finance companies, mortgage brokers, automobile & motorcycle dealers, telecommunications companies, utilities and municipalities, hospitals & medical services, educational institutions, professional tax preparers and many other companies not listed as examples, will have to comply with the Red Flags Rule.

If your company extends or arranges for the extension of credit, then you are considered a “creditor” and the Red Flags Rule require you to have an identity theft prevention program in place.

The Federal Trade Commission has acknowledged the fact that they have learned that many companies have been unaware that they fall under these rules.  Therefore they are extending the deadline of November 1, 2008 to May 1, 2009.

There are also Red Flags Rule Penalties for Non-Compliance:
Federal: $2,500 per individual incident (customer / transaction)
State: $1,000 per individual incident (customer / transaction, plus attorney’s fees)

After Regulatory Warning: $11,000 per individual incident

Useful Links
 Link to the Full Text of the Red Flags Rule:

 Link to FTC Red Flags Enforcement Policy:

 Link to new updates to extension of Red Flags Rule:

FTC Publication explaining Red Flags Rule

 Link to the Safeguard Rules

Article regarding City Government / City-Owned Utility

Medical Professional links:

This information provided as a courtesy to ASCPA members from http://www.identitytheftspecialists.net/