Per the request of several Members of Congress, the Federal Trade Commission (FTC) has once again delayed the enforcement of the Red Flags Rule. The Rule, designed to fight identity theft by requiring organizations defined as “financial institutions” and “creditors” to develop and implement plans to prevent use of fraudulent identity information, is now delayed through December 31, 2010.
By the rule’s definitions of “financial institutions” and “creditors,” many organizations, including nonprofits, are categorized as creditors. It is important that organizations that have identified “covered accounts” examine their preventative identity theft and fraud measures and implement a comprehensive written program before the end of the calendar year.
So what is considered a “covered account?” This term encompasses any type of account that is invoiced or requires multiple payments. Organizations that participate in billing or continuing financial relationships with an individual (member) are subject to scrutiny under the guidelines. This means that an organization that collects dues on a regular basis would be an example of a financial arrangement required to follow the Red Flags Rule guidelines.
The goal of the legislation is to identify key indicators that may potentially be indicative of activity surrounding the attempt to acquire and/or use critical information that could result in identity fraud. While the FTC suggests possible red flag scenarios, there are no mandatory guidelines. The idea is to review your own organizational, structure, size, and billing practices in order to identify your red flag areas.
If your organization is required to comply with the Red Flags Rule, your program must contain four key elements:
If you would like to read the full document entitled “Fighting Fraud with the Red Flags Rule – A How-To Guide for Business,” please visit www.ftc.gov/bcp/edu/microsites/redflagsrule/index.shtml.
By Mike West, CPA, Supervising Senior Accountant, mwest@legacycpas.com