Get ready for the FTC's Red Flags Regulations and Guidelines.(credit column)(Federal Trade Commission)

In May 2009, the FTC will begin to enforce the Red Flags Regulations and Guidelines which require most creditors and financial institutions to adopt a written program to detect, prevent and mitigate identity theft in connection with the new opening of a covered account or any existing covered account. Every creditor and financial institution covered by the rule must adopt a risk-based program that identifies red flags relevant to its own operation and, more importantly, how it will respond to them.

The definition of the term "covered account" can be divided into two parts. The first part of the definition refers to an account that a creditor or financial institution offers primarily for personal, family, or household purposes that involves, or is designed to permit, multiple payments or transactions. Examples to illustrate these types of consumer accounts are credit card accounts, mortgage loans, auto loans, margin accounts, cell phone accounts, utility accounts and checking or savings accounts. The second part of the definition speaks to any other account that the creditor or financial institution offers or maintains for which there is a reasonably foreseeable risk of identity theft to customers or to the safety and soundness of the creditor or financial institution. The FTC says that the second part of the definition may extend to any business-to-business account that is deemed vulnerable as a result of its required Red Flags risk assessment. To determine whether a business has such an account, it needs to consider the risks associated with how the accounts may be opened or accessed--that is, what type of interaction and documentation is required--as well as the company's experience with identity theft.

Because the definition of a covered account is so broad, NACM recommends that all credit departments take the lead in conducting its company's risk assessment and then assisting with the design of a written program to comply with the FTC's Red Flags Regulations. The written Red Flags Program must detail the ways in which a creditor will identify patterns, practices and specific forms of activities that indicate the possible existence of identity theft--or a fraud committed or attempted--using the identifying information of another person without authority. Each company's Red Flags Program must be tailored to its size, complexity and nature of its operations.

As credit professionals know, the term "identifying information" refers to any name or number that may be used alone, or in conjunction with any other information, to identify a specific person. Examples of identifying information include any name, social security number, date of birth, state or government issued driver's license or passport number; fingerprint, voiceprint or other unique physical representation; or unique identification number, address or routing code. Under the FTC's regulation, the creation of a fictitious identity using any single piece of information belonging to a real person falls within the definition of identity theft because such a fraud involves using the identifying information of another person without authority.

Although commercial credit best practices dictate that credit professionals "know their customers" before establishing a line of credit, the Red Flags Regulations require practices to be captured in writing, addressing four key areas. Specifically, your written Red Flags Program will address how your company will:

* Identify the risk: What are your company's relevant Red Flags?

* Detect Red Flags