In an earlier blog post, we covered the basics of the FTC’s Red Flags Rule – which requires certain types of businesses and financial organizations create an Identity Theft Prevention Program designed to detect the “red flags” (i.e. signs indicative of potential identity theft activity) unique to their day-to-day operations.

Since every business deals with different types of red flags and levels of risk, the FTC does not endorse or enforce any kind of one-size-fits-all compliance program. They have, however, provided guidelines describing the 4 core elements of ID theft prevention programs – which we’ll walk through in this blog post.

Step 1: Figure Out Your Red Flags

The first step is defining all of the red flags that would apply to your business. To help businesses narrow down all of the transactional patterns, consumer behaviors, 3rd party information, or other evidence signaling identity theft, the FTC describes five categories of red flags (which we reviewed in our previous post). However, not all possible red flags will be relevant to the way your organization operates.

For example, a car dealership requires customers to provide some form of ID before granting them an auto loan. An ID that doesn’t look genuine would count as a red flag. But, since there isn’t a way for customers to make additional charges to the account after it’s created, patterns of account activity that would count as red flags for other businesses wouldn’t apply in this scenario.

Step 2: Detect Red Flags

The second step is to explain the systems and procedures your organization will put in place to detect the red flags you defined in step 1. This is arguably the trickiest part since there aren’t any specific practices to follow or technology requirements you need to meet. On the plus side, you have the flexibility to customize the program to your business operations.

As previously mentioned, every program is different – so the FTC will assess your Identity Theft Protection Program’s compliance based on the “reasonableness” of its policies and procedures relative to your company’s size and nature of operation. Generally speaking, the higher your level of risk, the more robust your detection program will need to be.

Step 3: Respond to Red Flags

Now that you know what red flags to look for and how to find them, what will you do when you actually catch some? Again, your response will depend on the type of red flag and degree of risk posed. In addition to documenting detected red flags,  escalating unresolved incidents to relevant managers, and monitoring affected accounts for additional evidence of ID theft, and notifying the customer, some common types of red flag responses include:

  • Discontinuing the transaction or other relevant action (not opening a new account, not trying to collect on an account, not granting account access, etc.)
  • Using additional resources to verify the customer’s identity
  • Determining that no response is warranted
  • Notifying law enforcement

Step 4: Stay Up to Date

New types of red flags, and methods for detecting them, will crop up as technology changes or identity thieves change their tactics. The FTC requires that Identity Theft Prevention Programs have in place “policies and procedures to ensure the Program (including the Red Flags determined to be relevant) is updated periodically to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft.” During this assessment process, you should account for the following factors:

  • Your company’s experiences with identity theft since implementing the program
  • Changes in identity theft tactics
  • New technology and/or methods for detecting and responding to red flags
  • Changes in the types of accounts or services you offer – and whether there are new types of red flags you should add to your Program
  • Changes to your company structure – especially ones that may have introduced new types of “covered accounts” into your business – such as mergers, acquisitions, alliances, joint ventures, and arrangements with service providers