Many of you may be aware that in 2008, the Federal Trade Commission (FTC) issued its Red Flag Rule (the Rule), which is intended to help fight identity theft. The Rule, as originally written, requires financial institutions and creditors to establish a program to combat identity theft that encompasses a four step process for identifying and responding to risks.

Although the rule has been in effect since November 2008, there hasn’t been much fanfare about it until December 2010 when President Obama signed into law the “Red Flag Program Clarification Act of 2010” which brought some light to who is considered a “creditor”. Now that the rule has been clarified, the FTC is stepping up its enforcement efforts.

So, you ask, how is the FTC going to keep track of every “creditor” as defined and ensure compliance? Well, according to the FTC, as many as nine million Americans have their identity stolen each year. When investigating those cases, the FTC and other law enforcement agencies will be reviewing all aspects of the case, including who had access to that person’s information and how it was safeguarded. If they came knocking on your door, would you be able to hand them a copy of your Red Flag policy and prove to them that it is being enforced?

The FTC is authorized to impose penalties of up to $2,500 for each independent case. Now, that might not seem like a lot, but if someone uses stolen credit card information ten times to purchase goods from you and you are subject to the Rule but do not have a program in place, that could translate to a fine of $25,000 (and that doesn’t include any state and civil penalties that may result).

In my next post I’ll cover who is a “creditor” and how you can start to pull your program together to ensure compliance.

Want to refresh you control systems for 2011? Learn how HERE.