New Identity Theft Rule

Over the past several years, Congress has taken legislative action to address the growing problem of identity theft. As a result, penalties are much stiffer for those convicted under federal identity theft laws, and financial institutions and “creditors” - including many nonprofit organizations - will be required to take an active role in combating identity theft.

The Red Flags Rule
Under a federal regulation known as the “Red Flags Rule,” financial institutions, businesses, and other organizations meeting certain criteria must create and implement a formalized, written Identity Theft Prevention Program (ITPP) designed to detect the warning signs of identity theft. Beyond detection, the Rule also requires that steps be taken for the prevention and mitigation of identity theft.

Two Key Definitions
The Rule affects a diverse array of businesses and organizations. To gauge the potential impact on your organization, your first step should be to determine whether your organization is a “creditor.” The regulation broadly defines creditor as an organization that regularly allows customers or clients to defer payment for the goods or services it provides or bills its customers later.

Under this definition, nonprofit health-care organizations, colleges and universities, clubs, and many trade associations are most likely subject to the new rule. Simply accepting credit cards for payment does not mean an organization is a creditor. However, if an organization regularly sends out invoices, the Rule may very well apply.

If your organization is a creditor, then the Red Flags Rule applies to any “covered accounts” you may have. In very basic terms, an account is covered if (1) it allows a consumer or member to make multiple transactions or payments or (2) there is a reasonably foreseeable risk of identity theft to the customer or the creditor.

The Program
Think of the Red Flags Rule as an early warning system. In formulating your ITPP, you’ll need to identify all possible signals (red flags) that someone who is trying to set up a new account or access an existing one may not be the person he or she claims to be.

Some general examples of red flags include address discrepancies, multiple address changes, an alert or notice from a credit reporting agency, forged or altered documents or IDs, and inconsistent personal information. The list of red flags germane to your organization will depend on the type of accounts you have and the various ways clients or members access their accounts. For example, if online access is permitted, then data security and other “cyber” breaches must be included on your list of red flags.

Once the red flags have been identified, the next step is to outline the methods that will be used to detect identity theft and the steps that will be taken to prevent and mitigate the harm done. The program may incorporate and build on your current security measures.

Administrative Issues
The regulation requires that your ITPP be approved by the board of directors, a committee appointed by the board, or a senior executive and that day-to-day administration is handled by a senior employee (or higher level person). Your ITPP also should outline staff training procedures and be updated regularly.

When it comes to identity theft, third-party service providers are also a concern. It is your organization’s responsibility to ensure that providers have developed an ITPP to comply with the Rule.

Use of Consumer Reports
If your organization uses consumer reports to run background checks on prospective employees or volunteers, the Red Flags Rule requires you to develop policies and procedures to apply when your organization receives notice of an address discrepancy. They should be designed to enable your organization to form a “reasonable belief” that the consumer report relates to the consumer about whom you have requested the report.

“Under this definition, nonprofit health-care organizations, colleges and universities, clubs, and many trade associations are most likely subject to the new rule.”

Next Article: Persistence Pays

Previous Article: Updates