July 1, 2009
Authored by: Robert Klingler
Although some questioned if the day would arrive, the Red Flag Rules issued by the FTC, the federal bank regulatory agencies and the National Credit Union Administration go into effect August 1, 2009. The Rules are drafted broadly and will apply to many different companies, including “financial institutions and creditors with covered accounts.” Essentially, if you offer any form of loan or maintain any form of money account, you will have to comply the Red Flag Rules.
Preparing for August 1
The biggest step you should take is to prepare a Red Flag Plan. Although the Rules stress that each program should be tailored to the individual entity, some central elements should be present:
- IDENTIFICATION – Make sure your plan identifies what constitutes a “red flag” (i.e. what could reasonably indicate identify theft).
- DETECTION – Make sure you have a written procedure for how you will detect, understand and process any red flags.
- RESPONSE – Make sure you adequately define how you will respond, making sure that you include enough flexibility to respond adequately to different levels of threat.
- MAINTENANCE – Make sure you have a set process for reviewing, updating and revising your Red Flag Plan.
- OVERSIGHT – Make sure the plan is properly approved by the Board of Directors, Managers or similar management positions, and include explicit designations of power as to who in management (either the Board or a senior officer) will oversee the Plan and its execution.
Once you have a base Plan written and in place, make sure you are ready to implement the policies effectively. After adopting your initial Plan, you will have to take additional steps, including:
- preparing an annual report regarding the Plan’s effectiveness,
- monitoring relationships with service providers,
- analyzing your responses to any incidents, and
- improving your Plan and its implementation in accordance with these factors.
Although the FTC intends to publish sample Plans for “low-risk” and “high-risk” companies (terms that are still somewhat hazy at this point), many companies are seeking outside business and legal counsel to ensure their plan addresses the requirements of the Red Flag Rules.
Understanding both the banking issues and data security issues is key to making sure your Plan is in compliance and appropriately responds your business needs. If you aren’t sure if you are ready for August 1, our Financial Institutions Group can assist in drafting your institution’s Plan or in reviewing your current Plan. If you need more specific help with your Plan, contact either Roy Hadley (404-572-4510) or Toby Butler (404-572-5709) directly.