Red Flags Rule Compliance

Certified Red Flag Specialist® members can assist companies with their Red Flags Rule compliance needs by:

• Developing a risk assessment methodology and conducting a comprehensive risk assessment of the organization,
• Designing and developing a written Identity Theft Prevention Program,
• Conducting an independent Red Flags Rule compliance audit to assess the effectiveness of the program, and
• Offering training assistance.

Compliance team members are active Certified Red Flag Specialist® professionals who have audit, compliance, security and fraud management experience. CRFS members undergo comprehensive training and rigorous examination by IMI, and, are familiar with the government examination guidelines.

IMI’s certified  members perform the compliance audit using a structured audit program in alignment with government audit guidelines to gather information and request documentation for review and testing. The audit deliverable may include an interim report to provide improvement recommendations, and, a final report to certify the Red Flags Rule compliance program. The audit is mostly completed remotely but may require onsite visit for personnel inquiries, observation, and testing.

The Red Flags Rule applies to financial institutions and creditors with covered accounts.

A financial institution is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a transaction account belonging to a consumer.

Creditors include finance companies, non-bank financial services companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Where non-profit and government entities defer payment for goods or services, they are also considered creditors.

Covered companies typically offer a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account, and, any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.

While the government auditors do not conduct routine compliance audits, they will perform an audit in response to a complaint. If your company is covered by the Red Flags Rule, non-compliance will result in a financial penalty. Below is a summary of Red Flags Rule Penalties for Non-Compliance:

• Federal: The courts could inflict penalties of up to $2500 for each independent violation of the Rule.
• State Enforcement: States are authorized to bring actions on behalf of their residents and may recover up to $1000 for each violation, and also recover attorney’s fees.
• After Regulatory Warning: $11,000 per individual incident
• Civil Liability: Consumers may be entitled to recover actual identity theft damages and fees of up to $3500 per violation. Identity theft lawsuits can result in massive financial losses, ruined business reputation, and loss of clients.

Identity Management Institute (IMI) has listed four general areas which must be assessed during the audit:

1. Program Administration
2. Risk Assessment Process
3. Red Flag Management
4. Program Management

Program Administration: The Rule requires the proper administration of the written Program to establish oversight, scope, objectives, responsibilities, reporting and timing. Program administration also requires the designation of a Program manager, periodic updates, independent audits, approval by the Board of Directors (BOD), a committee of the BOD, or senior management, appropriate staff training, and service provider oversight.