FTC releases FAQs on Red Flags Rules

Share this article:
A new frequently-asked-questions document aims to clear up some of the confusion around the Red Flags Rules.

The rules, developed in accordance with the Fair and Accurate Credit Transactions Act of 2003 (FACTA), require financial institutions and creditors to develop written programs to identify, detect, and respond to indications of identity theft. The Federal Trade Commission is expected to begin enforcement on Aug. 1.

The FAQ document released Thursday discusses which entities and accounts are subject to the rule, provides tips for compliance and addresses requirements applicable to card issuers.

It also seeks to clear up some of the biggest misconceptions associated with the rules. A major one is that the rules impose hardships on entities that are at a low risk for identity theft, Betsy Broder, assistant director in the Federal Trade Commission's division of privacy and identity protection, told SCMagazineUS.com Friday.

But the regulations were crafted so the burden on the entity is equal to the risk they have, Broder said. Organizations with a low risk of identity theft, such as those who know their customers personally, can implement a streamlined ID theft prevention program. The FTC previously issued a template aimed at helping low-risk entities craft their programs.

“We have heard a lot of questions from low-risk entities, where the burden should be quite minimal,” Broder said. “And higher-risk entities, where the risk is more common and their effort should be more substantial, are saying this is a wonderful exercise for them.”

In fact, many businesses have been forced to conduct a risk assessment, looking at each element of fraud risk in their business, she said.

“When companies can address fraud risk, they help protect their bottom line,” Broder said.

Another common misconception is thinking that being compliant with the Health Insurance Portability and Accountability Act or other regulations that govern data security means being compliant with the rules, Broder said. But the Red Flags Rules don't focus on the protection of data; instead they address the prevention of its misuse.

The new Red Flags Rules FAQ document is the work of six different agencies – the FTC, National Credit Union Administration, Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation and Office of Thrift Supervision.

The FTC previously created a website aimed at helping entities comply with the rules.

Last month, the agency extended the Red Flags Rules compliance deadline for the second time. When the FTC does enforce the rules, it will issue civil penalties on a case-by-case basis, Broder said.

“We are looking for good faith efforts of compliance,” she said.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Reported breaches involving zero-day bug at JPMorgan Chase, other banks

Reported breaches involving zero-day bug at JPMorgan Chase, ...

Hackers exploited a zero-day vulnerability and gained access to sensitive information from JPMorgan Chase and at least four other financial institutions, reports indicate.

Data on 97K Bugzilla users posted online for about three months

During a migration of the testing server for test builds of Bugzilla software, data on about 97,000 Bugzilla users was inadvertently posted publicly online.

Chinese national had access to data on 5M Arizona drivers, possible breach ...

Although Lizhong Fan left the U.S. in 2007, the agencies responsible for giving him access to Americans' personal information have yet to disclose the details of the case to the public.