Attention all employers and financial institutions: Do you bill customers after services have been rendered? Do you allow for customers to pay for goods or services over time or in multiple installments? Do you request and use consumer credit reports? If the answer to any of those questions is YES, you are considered a “creditor” under the Red Flag Rules and must develop and implement an Identity Theft Prevention Program by May 1, 2009.

There are four elements to a successful and compliant Identity Theft Prevention Program. Creditors must first devise reasonable policies and procedures to identify relevant Red Flags, which are patterns, practices, or specific activities that indicate the possible existence of identity theft. Second, creditors must design a program to detect Red Flags. Third, the creditor must develop and implement policies and procedures that provide for appropriate responses to detected Red Flags. Lastly, creditors should create policies and procedures to reassess and update the Program periodically. It is also important to note that an effective Program must feature proper administration and oversight, including, but not limited to, creation of a board or committee, training of staff, and oversight of service provider arrangements.

Creditors who violate the Rules will be subject to penalties in the form of monetary penalties for violations. Each single instance of noncompliance may be penalized up to $2,500 per violation. Information security must be a priority for all businesses. The Federal Trade Commission reports that in 2007 alone, more than 8.3 million Americans were victims of identity theft.

The Red Flag Rules offer an ideal opportunity to revisit and revamp customer accounts and identity security efforts. If you need help in the formation, implementation, and administration of Identity Theft Prevention Programs, we can help.

By James R. Bullard, jbullard@dsda.com.