Red Flags Rule: Are You Exempt?Red Flags Rule: Think you are exempt? Think again!Kroll offers up the top questions organizations should be asking themselves to determineapplicability and, if necessary, achieve complianceOn December 18th, President Obama signed the Red Flags Program Clarification Act of 2010 intolaw. At first glance, the Act effectively narrows the scope of those organizations deemed “creditors”and, thus, obligated to comply, but many do not realize that it also contains provisions potentiallydrawing in organizations that maintain accounts “subject to a reasonably foreseeable risk ofidentity theft.” Not surprisingly, the Act has caused no small amount of confusion amongmany organizations.The FTC is expected to release further guidance and update their website on the Act’s implicationsfor businesses, but, in the meantime, many companies are left wondering: Do we have to comply?Below, Brian Lapidus, chief operating officer for Kroll’s Fraud Solutions division, outlines questionsthat organizations need to be asking themselves now to head off potential liability issues later–bydefining known risk factors and identifying ways to better protect their customers, employees, andbottom line from crimes like fraud and identity theft.Question #1: Are we really exempt? Question #2: Do we foresee any businessWith so much confusion as to who must changes that might cause the organization tocomply with the Red Flags Rule, this is one meet the requirements for compliance?question that an organization can’t ignore. Have your organization’s products, market,Until further guidance arrives from the FTC, it or business model changed? Is there anis important to recognize that certain factors acquisition or merger on the horizon?increase the likelihood that your organization You may not be subject to the Red Flagsis considered a covered entity. Are any of the Rule now, but things change. Ensure youraccounts in your care at a high risk for identity organization is always aware of how newtheft? Do you utilize consumer credit reports at business developments can impact yourall or, at any time, report delinquent accounts liability. According to the FTC’s posted businessto a collection agency? Any organization that guide, “business models and services change.routinely submits information on non-paying That’s why you must conduct a periodic riskconsumers to collections agencies, which assessment of your operations to help youin turn submit such information to a credit determine if you’ve acquired any coveredreporting agency, is not exempt from the Red accounts through changes to your businessFlags Rule. structure, processes, or organization.” And if you do anticipate a future change in status, it’s never too early to start considering what policy and procedural changes might be necessary to maintain compliance.