- FTC's red flag regulations require certain companies to implement identity theft protection plans.red flag in soccer field image by Tammy Mobley from Fotolia.com
The Federal Trade Commission (FTC) requires creditors and financial institutions to implement written Identity Theft Prevention programs to detect warning signs--or red flags--of identity theft in their operations. Institutions that have covered accounts as defined by the red flag regulations must implement a written plan to detect and respond to identity theft. - As defined under the FTC red flags regulations, financial institutions are state or national banks, state or federal savings and loan associations, mutual savings banks, state or federal credit unions, and any other entity that either directly or indirectly holds transaction accounts for consumers. While other federal regulations relate to federally charted banks and credit unions, the FTC’s jurisdiction extends to state banking institutions.
- Transaction Accounts under the red flag regulations are deposits or accounts from which a consumer can make payments to third parties.
- A creditor, as defined by the red flag regulations, includes businesses or organizations that provide goods or services and allow customers to pay for the goods or services later. A creditor is someone who arranges for the extension, renewal or continuation of credit. This includes mortgage companies, automobile dealers and retailers, health care providers, utility companies, lawyers, accountants and other professionals.
- The rules only apply to financial institutions that have covered accounts. Covered accounts are consumer accounts designed to permit multiple payments or transactions, or accounts have a reasonably foreseeable risk of identity theft.
- Government and nonprofit entities that fall under the definition of either a financial institution or creditor are also required to implement a red flag plan. This includes cities that operate utilities and colleges that offer student loans.
- The FTC’s red flag regulations require financial institutions and creditors to implement an Identity Theft Prevention program. The FTC does not explicitly state any practice or procedure for the program, allowing for the entities to implement one tailored to their business needs. The FTC will review the programs and determine compliance with the regulations based on the nature of the business and the risks that it faces.
- Although the FTC does not conduct routine reviews of all of the Identity Theft Prevention programs, the agency may investigate a business based on complaints. Monetary civil penalties and injunctive relief are available remedies to the FTC for violations of the red flag regulations. The maximum civil penalty per violation is $3,500.
previous post