Red Flags Rule: More Time To Comply
Wednesday, November 11, 2009 16:35
If you have not heard yet, the FTC (Federal Trade Commission) is changing the date they will start enforcing the Red Flags Rule. The enforcement for this rule was to start last week on November 1, 2009, but has been delayed by the FTC until June 1, 2010. This was announced by the FTC on Friday, October 30, 2009.
If you are already in compliance with the Red Flags Rule, you have a little extra time to fine tune or modify your policies, procedures and identity theft program before compliance actions begin. If you have not heard of the Red Flags Rule or are just in the process of determining what you need to do to comply, then you are given some breathing room–you are no longer behind the eight ball. The Red Flags Rule requires financial institutions and creditors to develop and implement written identity theft programs to identify, detect and respond to identity theft issues. I will not go into the specifics of the rule because I have done that in previous articles. If you have not read my previous articles on the subject you can find them here:
You may think by the word “creditor” you do not need to comply with the rule, but read carefully their definition of a “creditor” because it encompasses more than most people think of when using the word. In reality, it includes most businesses that offer services or products and put off the customer paying for them until the product or service has been delivered or performed. Just taking or accepting checks, credit or debit cards for payment, however, does not make you a creditor. Read the rule carefully and then find more information about the rule and additional resources in previous articles I have linked to in this article.
Is Compliance Enough?
One other point I wanted to make about the Red Flags Rule and other regulations that businesses have been dealing with for awhile such as the PCI-DSS requirements is that just because you comply with the regulation does not mean you are secure. Most regulations should be looked at as minimum security requirements, not as adequate security for your business. Because businesses are tight on time and money, they sometimes just get to the compliance mark and then look no further.
Securing a business should be more than just compliance. It should be more about protecting your customers and your business’s reputation. Without customers, there is no business. If customers lose faith in a business because of a security incident, the business loses money and time dealing with the incident as well as customers who are worried that their information or privacy cannot be protected. Businesses must look beyond just complying with a regulation and look at what they can do to truly protect themselves and customers after compliance has been achieved.
If you have questions about the Red Flags Rule, go to my About Page and send me a message using my contact form. If you have an opinion about anything I have said regarding security, please leave a comment. I would love to hear from you.
Related posts: