The Red Flags Rule - Identity Theft Prevention Programs - FAQ's
Why is the government requiring that some companies implement an Identity Theft Prevention Program?
- Because millions of people are the victims of identity theft each year, resulting in overwhelming costs to consumers, business and law enforcement.† The idea behind the law is that businesses can prevent a loss before it happens by recognizing and responding to the "red flags" that someone is using a stolen identity to buy goods or services.
Who must implement a Red Flags Program?
- Any company that maintains accounts that are subject to a "reasonably foreseeable risk of identity theft."† These accounts include:
- In-house credit accounts
- Branded credit card accounts
In my store I accept several widely-used consumer credit cards such as MasterCard, Visa and American Express.† Must I implement a Red Flags Program because I accept these cards?
- No.† But, be aware that your merchant agreement with the credit card companies may require that you comply with standards pertaining to accepting credit cards.† These standards must be in place in your business to protect cardholder data from identity thieves.
I am covered by the Red Flags Rule.† What must I do to comply?
- You must implement a written Identity Theft Prevention Program with five components:
- Identify the red flags of identity theft (such as suspicious ID)
- Detect the red flags (such as by closely examining ID)
- Respond to red flags, and mitigate identity theft if it does occur
- Administer the Program, integrate it into daily operations, and update it as necessary
- Train your employees regarding the Red Flags Program
If I am covered, when must I comply?
- Enforcement began on December 31, 2010.† Implement a program ASAP!
I am covered by the Rule.† What should I do to implement a Red Flags Program?
- Buy the JVC Red Flags Rule Compliance Kit, sponsored by GE Money.† Visit www.jvclegal.org for details about the kit.
- Visit the FTC website for more information about the Red Flags Rule at http://business.ftc.gov/privacy-and-security/red-flags-rule
What are the penalties for non-compliance?
- Fines of up to $3,500 per violation.