Red Flag Analysis / Identity Protection
What is FACTA?
In 2003, Congress enacted the Fair and Accurate Credit Transactions Act (FACTA Act) which required the Federal Trade Commission (FTC) and other federal agencies to issue regulations requiring financial institutions and other “creditors” to adopt policies and procedures to prevent identity theft. In 2008 the FTC issued regulations named the “Red Flag Rules“, which went into effect on January 1, 2008 with a final compliance date of August 1, 2009. Subject to the regulation are all financial institutions and a category called “creditors” which is any person or business who arranges for the extension, renewal or continuation of credit.
What is Required?
The Red Flag Rules require the development and implementation of a written Identity Theft Prevention Program that is designed to detect, prevent and mitigate identity theft in connection with the opening of a “covered account” or any existing “covered account”. The program must be appropriate to the size and complexity of the entity and the nature and scope of its activities. 16 C.F.R. Section 681.2(d).
While ‘red flag’ rules present compliance issues for businesses, those businesses, to the extent they rely on critical vendors who have access to the same data, have an additional burden. If there is an identity breach by a business vendor, the entity will be in the chain and will be vulnerable to both legal liability and negative publicity.
How We Help Clients Develop Red Flag Plans?
Firestorm can develop a red flag plan within 30 to 45 days of a final scoping report, following a plan review, that will satisfy the requirements of the regulations. The plan will be designed to detect, prevent, and mitigate identity theft and be tailored to your company’s size, complexity and the nature of its operations. A plan will include ‘reasonable policies and procedures’ that will:
- Identify relevant red flags and incorporate those red flags into the plan;
- Detect red flags that have been incorporated into the plan;
- Respond appropriately to any red flags that are detected;
- Train staff and confirm identity and responsibility of Compliance Officer;
- Ensure the plan is updated periodically, to reflect changes in risks to clients or to the safety and soundness of the financial institution from identity theft.