Red FlagsCompliance With FTC Identity Theft Legislation
The Red Flags Rule was established by the U.S. Federal Trade Commission (FTC), based on the 2003 Fair and Accurate Credit Transactions Act (FACTA). This law requires the establishment and maintenance of a program to identify, detect, prevent, and mitigate identity theft for “covered accounts” in day-to-day operations for both financial institutions and creditors. This definition is loose enough to apply to a wide range of companies that hold “transaction accounts” belonging to a consumer, such as brokerage firms or mutual funds, banks, savings and loan associations, mutual savings banks, credit unions, and even public utilities.
Path To Compliance
The path to successful Red Flags compliance is a four-part process:
- IDENTIFY: Institutions must identify likely business-specific identity theft “red flags”
- DETECT: Institutions must define procedures to detect Red Flags in day-to-day operations
- PREVENT and MITIGATE: Institutions must define actions to take when red flags are identified
- MAINTAIN: Institutions must define how their Red Flags program will be maintained and updated
Penalties and Risks
While there are presently no criminal penalties for breach of Red Flags requirements, the FTC may impose a fine of $2,500 per individual incident (customer or transaction), in addition to state penalties of $1,000 per individual incident (customer or transaction, plus attorney’s fees). After receiving an initial regularly warning for non-compliance, organizations may be fined up to $11,000 per individual incident. For organizations with tens or hundreds of thousands of customers, a wide-spread breach may be financially disastrous — as well as extremely damaging to your company’s reputation.
Aerstone can work with your organization to develop the necessary privacy and security policies, and conduct the necessary staff training, that will ensure full compliance with FTC Red Flags requirements. Our application testing services can also help ensure the security posture of your public-facing systems, so that all your sensitive customer information is properly protected.
Our Experience Sets Us Apart
Aerstone is an NSA-certified vulnerability assessor, and a service-disabled veteran-owned small business.
We approach each engagement with the highest levels of professionalism, determination, and creativity, honed by years of working with
security professionals across the military, intelligence community, civilian government, and private industry.
Contact our sales team at firstname.lastname@example.org for more information.