Beginning Aug. 1, 2009, companies that extend any sort of credit to their customers - even something as simple as sending a bill at the end of the month - will need to have a documented, board-approved Red Flag compliance strategy in place to help combat identity theft. The Red Flags Rule, a component of the Fair and Accurate Credit Transactions (FACT) Act signed into law in December 2003, requires that financial institutions and creditors in a number of industries implement a plan to identify, detect and respond to attempts to use stolen identity information. Grant Thornton LLP's Advisory Services group has created a white paper - The Red Flags Rule: What you need to know - to help companies understand what the rule requires, determine whether it applies to them and develop a compliance strategy.

 

"This rule is completely different from policies you have in place to protect sensitive information," said Randy Green, a principal in Grant Thornton LLP's Advisory Services group and the author of the white paper. "Instead, this regulation is designed to prevent thieves who have somehow acquired another person's identity from using it to commit a fraud. The rule requires you to identify all of the indicators that might tip you off to possible identity theft, implement appropriate predictive and detective controls, and react appropriately."

 

While the Rule has been in effect since November 2008, enforcement by the Federal Trade Commission (FTC) will begin Aug. 1 of this year. Initially, the FTC will assess retroactive penalties for violations, require additional compliance reporting from companies and obtain an injunctive compliance order. Further violations could result in a visit to federal district court and a fine of up to $16,000 per individual occurrence of identity theft.

 

"After Aug. 1, 2009, any occurrence of identity theft at your business exposes you to an FTC investigation," said Green. "We believe that enforcement of this rule will be complaint-driven, and given the staggering number of identity thefts, there will be no shortage of complaints."

 

"In summary, the Red Flags Rule is likely to become the standard of care that all companies will need to provide to prevent identity theft," concluded Green. "Skipping red flags compliance will expose you to real regulatory, reputational and litigation risks."

 

To download a full copy of this Grant Thornton white paper, The Red Flags Rule: What you need to know, please go to www.GrantThornton.com/redflags.