The Red Flags Rule requires certain organizations to implement identity theft prevention programs to help detect and mitigate identity theft. While some organizations may think they are exempt, the document outlines key questions those organizations should consider to determine if they are actually covered by the Rule or could become covered in the future due to business changes. It also notes that identity theft costs businesses billions each year, so even organizations not currently covered may benefit from implementing basic identity theft prevention measures.

1. Red Flags Rule: Are You Exempt?
Red Flags Rule: Think you are exempt? Think again!
Kroll offers up the top questions organizations should be asking themselves to determine
applicability and, if necessary, achieve compliance
On December 18th, President Obama signed the Red Flags Program Clarification Act of 2010 into
law. At first glance, the Act effectively narrows the scope of those organizations deemed “creditors”
and, thus, obligated to comply, but many do not realize that it also contains provisions potentially
drawing in organizations that maintain accounts “subject to a reasonably foreseeable risk of
identity theft.” Not surprisingly, the Act has caused no small amount of confusion among
many organizations.
The FTC is expected to release further guidance and update their website on the Act’s implications
for businesses, but, in the meantime, many companies are left wondering: Do we have to comply?
Below, Brian Lapidus, chief operating officer for Kroll’s Fraud Solutions division, outlines questions
that organizations need to be asking themselves now to head off potential liability issues later–by
defining known risk factors and identifying ways to better protect their customers, employees, and
bottom line from crimes like fraud and identity theft.
Question #1: Are we really exempt? Question #2: Do we foresee any business
With so much confusion as to who must changes that might cause the organization to
comply with the Red Flags Rule, this is one meet the requirements for compliance?
question that an organization can’t ignore. Have your organization’s products, market,
Until further guidance arrives from the FTC, it or business model changed? Is there an
is important to recognize that certain factors acquisition or merger on the horizon?
increase the likelihood that your organization You may not be subject to the Red Flags
is considered a covered entity. Are any of the Rule now, but things change. Ensure your
accounts in your care at a high risk for identity organization is always aware of how new
theft? Do you utilize consumer credit reports at business developments can impact your
all or, at any time, report delinquent accounts liability. According to the FTC’s posted business
to a collection agency? Any organization that guide, “business models and services change.
routinely submits information on non-paying That’s why you must conduct a periodic risk
consumers to collections agencies, which assessment of your operations to help you
in turn submit such information to a credit determine if you’ve acquired any covered
reporting agency, is not exempt from the Red accounts through changes to your business
Flags Rule. structure, processes, or organization.” And if
you do anticipate a future change in status, it’s
never too early to start considering what policy
and procedural changes might be necessary to
maintain compliance.

2. Question #3: What easy, extra steps could Question #4: How much does our organization
we take right now to detect or mitigate currently absorb in fraud costs?
identity theft? Consider the statistics: according to a 2010
Most likely, there are many simple steps that Javelin report, the total cost of fraud among
could be implemented now to make basic Red U.S. businesses in 2009 was $54 billion, a 12.5
Flags detection part of your security culture. percent increase over fraud losses in 2008.
Opportunities include training employees to This increase was driven largely by the growth
recognize signs of identity theft or checking in new accounts fraud, which rose 17 percent
an ID to authenticate a customer during a from $18 billion to $21 billion. Costs are also
business transaction. Certainly, small changes rising as organizations take on more of the
that don’t distract too much from day-to-day fraud loss tab to lessen the burden on their
business and require minimal investment are customers (e.g., 100% of the top 25 financial
easier than jumping into a comprehensive institutions surveyed now, for the first time,
Red Flags program. Need some motivation? offer zero liability fraud guarantees for debit
Compare the time it takes to make some cards, according to Javelin’s 2009 “Banking
modifications in basic processing steps or Identity Safety Scorecard” survey). Good
procedures to the time and resources taken customer service? Absolutely! But hard on
away when required to assist a customer who the bottom line. Just think how implementing
has already become a victim of identity theft. policies and procedures to identify red flags
and mitigate risks of identity theft now could
potentially help save billions later.
For more information on Red Flags Rule
compliance and other data security issues, visit
www.krollfraudsolutions.com or check out the Kroll
Fraud Solutions blog “A Dialogue on Data Security.”
Kroll’s Fraud Solutions
866 419 2052
www.krollfraudsolutions.com
www.kroll.com
This article was prepared for general information purposes only and does not
constitute legal or other professional advice. Always consult with your own
professional and legal advisors concerning your own situation and any specific
questions you may have.
© 2011 Kroll Inc. All rights reserved. Compliance #LIT021611; Item #NM0202111