Red Flag Rules... Ready, Set, Comply!!

Posted June 11, 2010, 2:20 pm by Curtis Blount

Image of Curtis

Curtis Blount

Red Flag Rules…. Ready, Set, Comply

Part 1: Interpretation


On June 1, 2010 the Federal Trade Commission will implemented compliance to the Red Flag Rules. While the official date has been  somewhat of a moving target, it looks like June 1st is the final. So the questions to ask is are you ready?

As with most regulatory compliance statues they are heavy on ambiguity and light on practical substance. As such interpretation is left up the person responsible for first determining IF Red Flag applies to you and if so what to do about it. The good news is that Red Flag Rules are based on IT Governance which is based in part on ISO 27000:2005 standards for Information Security best practices.

This is part one of a three part blog on Red Flag Rules. In part one we cut through the red tape and put into lay men’s terms what is Red Flag Rules and who must comply.

In part two we will discuss the self assessment and business risk impact analysis.

Finally in part three we will discuss steps to creating a data privacy program for your organization.

What are Red Flag Rules?

Basically Red Flags Rules are a set of mandatory standard that certain businesses must develop, implement and maintain an Identity Theft Prevention Program. Red Flag Rules are named after Red Flags which are suspicious patterns or practices or specific activities that indicate the possibility of identity theft. If you have inadequate security practices within your organization, you have Red Flags.

The Identity Theft Prevention Program (i.e. data security and access controls) must include four basic elements:


Who must comply?

This is the tricky part and where interpretation is left up to the reader. According to the FTC Red Flag Rules applies to all financial institutions, creditors, and covered accounts.

Financial Institutions: Financial Institutions are pretty each to interpret. Any financial institution that holds a monetary transaction account belonging to a consumer falls under this entity. This includes all financial institutions that fall under the Savings and Loan Association, National Credit Union Association and the FTC.

Creditors: Creditors is a broad category that includes “businesses or organizations that provide credit (i.e. defer payments) for goods and services to their clients”.  This would include utility companies, health care providers (yes this does include doctor’s offices), telecom (cell phone providers, cable, satellite, etc.), mortgage brokers, real estate agencies, car dealers and retailers. From a small business perspective if you sell services to another small business and/or clients and take payments based on invoice, you would fall into this category as well.

Covered Accounts: Covered accounts are not necessarily part of the “who must comply” group but rather once you identify if you are financial institution or creditor “what type of accounts must be covered under Red Flag”. According to the FTC Covered Accounts fall into two categories. The first is consumer account data that is maintained by your organization. The second is “data for which there is a reasonable foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft”.

To put Covered Accounts in perspective, it’s any data (both client related and internal proprietary data) and the systems used to send, store and transact this data within your organization. As I mentioned earlier the whole point is to create policies and procedures for the protection of all confidential data. Part of that process is maintaining an infrastructure support that endeavor. Hence, knowing and understanding ones risk to your organization and to your clients. If your organization has lacked security practices, then your clients are at risk as well.

In closing consider this to be the pre-stage to developing a program to comply with Red Flag Rules. This is no different from the same framework in developing an information security program under ISO. Keep in mind the following points:

I think you get the idea. We have a self assessment checklist at that provides customers a way to determine their level of business security risk. This will lead us into the next blog post.

Filed under: Lifecycle Management
Edited December 29, 2014 by Eric
Listed in Communities: Our Site
Tagged as: Red Flag Rules

You must be logged in to post comments.