The Federal Trade Commission issued revised guidance designed to help businesses such as dealerships comply with the requirements of the Red Flags Rule, which protects consumers by requiring businesses to watch for and respond to warning signs or "red flags" of identity theft.
Regulators explained that the guidance outlines which businesses — financial institutions and some creditors — are covered by the rule and what is required of businesses to protect consumers from identity theft.
The FTC revised the rule late last year to more narrowly define the types of creditors subject to the rule's requirements.
Under the revised rule, officials said a Red Flag program implemented by a dealer or finance company must have four parts.
First, the program must include reasonable policies and procedures to identify signs — or red flags — of identity theft in the day-to-day operations of the business.
Second, the program must be designed to detect the red flags of identity theft identified by the business.
Third, the program must set out the actions the business will take upon detecting red flags.
Finally, because the FTC contends identity theft is an ever-changing threat, a business must re-evaluate its program periodically to reflect new risks from this crime.
Congress directed the FTC, along with several banking agencies to promulgate the Red Flags Rule in 2007. In December 2010, Congress enacted legislation narrowing the definition of "creditors" covered by the rule.
Regulators said the amended Red Flags Rule now provides that a creditor is covered only if, in the ordinary course of business, it regularly conducts one of these activities, including:
—Obtains or uses consumer reports in connection with a credit transaction.
—Furnishes information to consumer reporting agencies in connection with a credit transaction.
—Advances funds to or on behalf of a person, in certain cases.
The newest FTC guidance concerning Red Flags can be downloaded here.