FREE TRIAL UPGRADE!
Thank you for investing in EnvironmentalHazmatHuman ResourcesHuman Resources, Hazmat & Environmental related content. Click 'UPGRADE' to continue.
CANCEL
YOU'RE ALL SET!
Enjoy your limited-time access to the Compliance Network!
A confirmation welcome email has been sent to your email address from ComplianceNetwork@t.jjkellercompliancenetwork.com. Please check your spam/junk folder if you can't find it in your inbox.
YOU'RE ALL SET!
Thank you for your interest in EnvironmentalHazmatHuman ResourcesHuman Resources, Hazmat & Environmental related content.
WHOOPS!
You've reached your limit of free access, if you'd like more info, please contact us at 800-327-6868.
CLOSE
 
 

...

Red Flags Rule

RegSenseezExplanationEnglishRecruiting and hiringRed Flags RuleBest ResultsUSAPrivacy and Data SecurityPrivacy and Data SecurityHR ManagementFocus AreaTalent Management & RecruitingHuman Resources

The Red Flags Rule requires financial institutions and creditors to spot “red flags” that could signal the risk of identity theft of customer information. It also requires them to create and implement a program for preventing identity theft of information in their possession. Many businesses question whether they are covered by the Red Flags Rule, and if so, what they need to do to comply.

Scope

To know whether an employer is a covered entity under the rule, the employer must determine if it is a “financial institution” or “creditor” by definition, and if so, whether or not the employer has “covered accounts.”

Regulatory citations

  • None

Key definitions

  • Credit: An arrangement by which the employer accepts payments after the product was sold/after the service was rendered.
  • Creditor: A business or organization that regularly extends, renews, or continues credit; arranges for someone else to extend, renew, or continue credit; or is the assignee of a creditor who is involved in the decision to extend, renew, or continue credit (e.g., finance companies, automobile dealers, mortgage brokers, utilities, and telecommunications companies).
  • Financial institution: Bank, savings and load, credit union, or other entity that holds a customer’s “transaction account.”
  • Transaction account: An account that allows the owner to make payments or transfer (e.g., credit, savings, or brokerage accounts).

Summary of requirements

What constitutes a covered account? There are two types of covered accounts. One is an account used mostly for personal, family, or household purposes that involves multiple payments or transactions, such as credit card accounts, mortgage loans, car loans, utility accounts, and checking or savings accounts.

The other type of covered account is one for which there is a foreseeable risk of identity theft. For example, a small business or sole proprietorship account is one type of account that should be considered for coverage because it may be vulnerable to identity theft. In determining whether a business has such an account, the business should consider the risks associated with how the accounts may be opened or accessed, as well as past experience with identity theft.

If a business or organization is a financial institution or creditor, but does not have any covered accounts, the business doesn’t need a program. However, that doesn’t mean the business shouldn’t take measures to lessen the risk of identity theft.

What the program should look like. The Red Flags Rule gives an employer flexibility to design a program in a way that fits the business. However, to be in compliance, the program must follow certain guidelines as well as four basic steps. The program must:

  1. Identify relevant red flags. Examples of warning signs of possible identity theft, or “red flags,” are warnings from a consumer reporting agency, personally identifying information or documentation that appears suspicious, suspicious activity on an account, or notices from customers or law enforcement agencies relative to possible identity theft.
  2. Detect red flags. Detecting red flags means working detection methods into the regular business procedures. For example, a business may decide to cross-check account information, require an additional step for customer identification, or more closely verify changes to account information.
  3. Take steps to prevent and mitigate identity theft. Efforts to prevent and mitigate identity theft could include refusing to open a new account unless all required information is present; closing an account with suspicious activity; or notifying a consumer of unusual activity on an account.
  4. Be updated periodically. A program must include a process for updating it, since the methods and types of identity theft may change over time, or a business you may change its procedures, necessitating a change in the program.

Other requirements. If an organization has a Board of Directors, the Board must approve the program. If an organization does not, then the program must be approved by an appropriate committee or member of senior management. Any material changes to the program must also be approved by the Board, committee, or management. Training of staff should be a material element of a program.

Note: Non-profit or government agencies might be considered creditors if they accept deferred payments for goods or services. On the other hand, according to the Rule, simply accepting credit cards as a form of payment does not in and of itself make a business a creditor.

READ MORESHOW LESS
['Privacy and Data Security', 'Recruiting and hiring']
['Privacy and Data Security', 'Red Flags Rule']
Load More