|USA based financial institutions and other “creditor” businesses, not-for-profit entities, or government entities with “covered accounts” should be in compliance with — the U.S. Federal Trade Commission’s so-called Red Flags Rule (PDF). |
In general terms, the rule requires creditor organizations to implement, monitor, and periodically revise a written identity theft program to detect and respond to warning signs — or red flags — of customer identity theft. Much of the controversy concerns the definition of creditor organization, which the FTC itself characterizes as broad. Under the rule, a creditor organization is defined as a business entity that “regularly provides goods or services first and allows customers to pay later.” FTC-provided examples range from banks and other financial services institutions to utilities and telecommunications companies to health care providers, lawyers, accountants, and other professionals. The definition also covers organizations “that regularly grant loans, arrange for loans or the extension of credit, or make credit decisions” such as finance companies, mortgage brokers, and automobile dealers or other retailers that offer financing or collect or process credit applications for third-party lenders.
Under the regulation, Crowe Horwarth published a white paper on the subject.