Here's a trivia question. What does the Department of the Treasury, Federal Reserve System, FDIC, National Credit Union Administration and the FTC have in common? (Besides all being Federal Government Agencies.)
Answer: Red Flag Rules for businesses to implement to protect their clients and customers from identity theft.
What are "Red Flag Rules," you might ask? Great question. If you would like to read the more than 60-page document in the Federal Register (Vol. 72, No 217), you will find it great bed time reading ... it will most definitely put you to sleep faster than counting sheep! In it, in the usual government fashion, it defines the issue but gives few actual steps for businesses to take to avoid the penalties for not implementing a system of identifying potential risks of identity theft occurring and taking common sense steps to reduce those risks.
So, to boil it all down, here are some common sense suggestions for businesses to consider.
1. Who must comply? "Financial institutions" and "creditors mostly for personal, family or household purposes." As an example, a CPA firm who extends credit to their non-business clients by billing them for services and collecting later would be considered a "creditor" under these rules.
2. How flexible are the Red Flag Rules? The requirements allow for appropriate size and complexity, as well as the nature of the business operations. Thus, there is some "wiggle room" for how big and extensive your "plan" must be to comply. The goal is to include reasonable policies and procedures to identify the "red flags" of identity theft your business may run across in its day-to-day operations. An example: If a customer has to provide some form of identification to open an account with your company, an ID that looks like it might be fake would be a "red flag".
3. How does a business create their Red Flag Rules? Create a simple written plan that identifies the basic risks of sensitive data being acquired by identity thieves. Include in your plan the basic appropriate responses that would prevent or mitigate those risks. There are five basic categories you should address:
1. Alerts, notifications, or warnings from a consumer reporting agency
2. Suspicious documents
3. Suspicious personally identifying information, such as an address, phone number, Social Security number, driver's license, etc.
4. Unusual use of, or suspicious activity relating to an account
5. Notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts.
For more information and assistance in writing your Red Flag Rule plan, talk to your CPA or go to ... www.ftc.gov/bcp/edu/pubs/business/idtheft/bus23.pdf
• Kelly Bullis is a Carson City certified public accountant with more than 30 years of experience. Contact him at 882-4459.