If you offer credit, you need an Identity Theft Prevention Red Flag program
Is your organization prepared to comply with the Federal Trade Commission’s Identity Theft Red Flag rules? The objective of the rules is to protect customers against identity theft, but it is important to remember your organization and its customers are both victims when identity theft occurs.
Red flag compliance means developing a program and testing it
How does an organization comply with the red flag rules? Compliance has two distinct parts. The organization must develop and document an Identity Theft Prevention Program and then test the program for its effectiveness.
Compliance can be a complex process, because the prevention program must address the 26 situations that the regulations say are warnings or red flags that fraudulent activity might occur. However, the rules don’t say how the 26 situations must be addressed. Prevention plans are left up to the individual organizations.
You will appreciate our experience with red flag compliance
Who can help you meet the demands of Red Flag compliance? You will appreciate the experience of the Plante Moran security assurance team. Our technology consultants have helped a number of banks, credit unions, and mortgage companies comply with the Red Flag rules.
Our security assurance professionals can rely on that experience when they help you look at the controls you have in place to respond to the 26 red flags. They will assess their effectiveness, and make suggestions to strengthen them so that you will have a solid plan.
Compliance also mandates that organizations include any past security incidents not covered by the 26 red flags and the controls that were put into place to prevent recurrence. In other words the organization has to add its own red flags and record what has been done to ensure the security breach won’t happen again.
Testing the effectiveness of your red flag program
Our security assurance professionals can also test the effectiveness of your Identity Theft Red Flag Program, another part of compliance. The testing will include interviews with the employees and a review of selected documents. As a result of the review procedures, your management team will receive a report that summarizes the findings of the security assurance team. When appropriate, the report will prescribe recommendations for strengthening your identity theft prevention program.
Keeping your red flag program up to date
It is important for organizations to realize that when there are changes in how they deal with customer information, they must always consider how the changes affect their Identity Theft Prevention Program. Keeping your programs current and testing their effectiveness periodically is essential for compliance and risk management.