Many of the questions were specific questions if one type of business or company are required to conform to “Red Flags” based on the broad definition of “Creditors” and “Covered Accounts”. I attempted to describe the regulation and qualification as best I could during the webinar. The problem with trying to answer those questions here is 1) a breif question usually doesn’t give me enough information to know for sure if a company falls under Red Flags and 2) Often there is more to the way that a company is doing business than what is expressed.
But generally, what I find is that organizations are looking for any possible way to not be qualified under Red Flags. They don’t want more work and regulations, but is many respects, that is exactly why they needed to enact this legislation. Far to few businesses think about identity theft and fraud. I suggest that if you aren’t sure if you qualify as a business that is subject to Red Flags that you err on the side of caution and assume that you are. That last thing you would want is to find out later that you should have been and be subject to civil monetary penalties.
Feel free to ask further questions in the comment section.
Q: Does the extended date apply to financial institutions, or is the original Nov date still applicable for banks, while the new date is for other organizations?
A: According to the FTC’s website “The Federal Trade Commission will delay enforcement of the new “Red Flags Rule” until August 1, 2009, to give creditors and financial institutions more time to develop and implement written identity theft prevention programs.” - http://www.ftc.gov/opa/2009/04/redflagsrule.shtm
Q: Are the rules applicable to law firms?
A: If they allow their customers to pay for services at a later time then when the services were rendered….Yes
Q: It seems like law firms have a pretty secure way of handling accounts – what could they do in order to follow the rules that they aren’t alredy doing without a wrirtten program per se?
A: The point of Red Flags is to have a written program and then follow that program…not to find ways to avoid creating an identity theft program even if strong methods are already in place. Even if an organization has a “secure way of handling accounts” that doesn’t mean that employees are trained to look for the signs of identity theft or that system are in place to detect or respond to those events.
Q: Does date change affect ALL orgs, or just FTC regulated orgs? I was under the impression that FDIC regulated orgs were still held to original deadline
A: See above…but yes, it applies to all
Q: What guidelines are there for managed service providers that serve customers requiring Red Flag compliance?
A: I don’t know of any that specifically call out service providers.
Q: Do you offer a Red Flags service?
A: Our eSecurity Training portal does have a Red Flags training course. We also offer several technologies that help identify, stop, and report on attempted data breaches which is part of Red Flags.
Q: Will FINRA, independent from FTC, be issuing any Info Security regs?
A: I haven’t heard anything, but that doesn’t mean much.
Q: Would an investment adviser that allows clients to pay their annual fee in quarterly installments qualify as low risk for ID theft? If so, where can the ID theft program template be found?
A: That does not sound like “low risk” to me, but you should evaluate your business based upon what is outlined by the FTC and others. I believe that the template will be sent out to everyone that was on the webinar.
Q: Is there some sort of red flag checklist, kind of like the PCI self-assessment questionnaire?
A: Not that I have seen. I have found several good sample policies on the Internet that an organization could use to model their policies and procedures on.
Q: What are the penalties/consequences of non-compliance?
A: “Civil Monetary Penalties”. While it doesn’t look like there will be any active enforcement or auditing (at least at this time), if identity theft occurs and the company was not adhearing to Red Flags, that is likely where consequences would come in.
Q: Must we notify our clients of our anti-identify theft program? If yes, how often do we need to do this and how do we communicate this information?
A: I haven’t read anything that states that your program must be communicated to customers. I know some business do that simply for the PR benefit.
Q: What agency will be monitoring this or will it only be complaint driven?
A: See answer above
Q: Does the FTC, or some other organization, have to approve a company as a low risk creditor?
A: As this seems to more of a self governing type regulation, I don’t think the FTC or anyone else will get in the business of deciding who is low risk or not.