For example, there may be a reasonably foreseeable risk of identity theft in connection with business accounts that can be accessed remotely — say, through the Internet or the telephone. Your risk analysis must consider any actual incidents of identity theft involving accounts like these. But business models and services change. You may acquire covered accounts through changes to your business structure, process, or organization. Many companies already have plans and policies to combat identity theft and related fraud.
Risk Factors. Different types of accounts pose different kinds of risk. For example, red flags for deposit accounts may differ from red flags for credit accounts, and those for consumer accounts may differ from those for business accounts. When you are identifying key red flags, think about the types of accounts you offer or maintain; the ways you open covered accounts; how you provide access to those accounts; and what you know about identity theft in your business.
Sources of Red Flags. Consider other sources of information, including the experience of other members of your industry. Categories of Common Red Flags. Supplement A to the Red Flags Rule lists specific categories of warning signs to consider including in your program. The examples here are one way to think about relevant red flags in the context of your own business. Sometimes, using identity verification and authentication methods can help you detect red flags. Consider whether your procedures should differ if an identity verification or authentication is taking place in person, by telephone, mail, or online.
You may be using programs to monitor transactions, identify behavior that indicates the possibility of fraud and identity theft, or validate changes of address. If so, incorporate these tools into your program.
When you spot a red flag, be prepared to respond appropriately. Your response will depend on the degree of risk posed. It may need to accommodate other legal obligations, like laws about providing and terminating service. The facts of a particular case may warrant using one of these options, several of them, or another response altogether.
Consider whether any aggravating factors raise the risk of identity theft. The Rule recognizes that new red flags emerge as technology changes or identity thieves change their tactics, and requires periodic updates to your program. Factor in your own experience with identity theft; changes in how identity thieves operate; new methods to detect, prevent, and mitigate identity theft; changes in the accounts you offer; and changes in your business, like mergers, acquisitions, alliances, joint ventures, and arrangements with service providers.
Your Board of Directors — or an appropriate committee of the Board — must approve your initial plan. The Board may oversee, develop, implement, and administer the program — or it may designate a senior employee to do the job. Remember that employees at many levels of your organization can play a key role in identity theft deterrence and detection.
In administering your program, monitor the activities of your service providers. One way to make sure your service providers are taking reasonable steps is to add a provision to your contracts that they have procedures in place to detect red flags and either report them to you or respond appropriately to prevent or mitigate the crime.
Other ways to monitor your service providers include giving them a copy of your program, reviewing the red flag policies, or requiring periodic reports about red flags they have detected and their response. As a result, the Guidelines are flexible about service providers using their own programs as long as they meet the requirements of the Rule.
The person responsible for your program should report at least annually to your Board of Directors or a designated senior manager. The Red Flags Rule is published at 16 C. See also 72 Fed. The preamble B pages 63,, — discusses the purpose, intent, and scope of coverage of the Rule. The text of the FTC rule is at pages 63,, The Rule includes Guidelines B Appendix A, pages 63,, — intended to help businesses develop and maintain a compliance program.
The Supplement to the Guidelines — page 63, — provides a list of examples of red flags for businesses and organizations to consider incorporating into their program. See 16 C. See 15 U. See 12 U. Transaction accounts include checking accounts, negotiable orders of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.
See also Regulation B. For purposes of the Red Flags Rule, a creditor —. This Rule may be a helpful starting point in developing your program. You are here. Red Flags are suspicious patterns or practices, or specific activities that indicate the possibility of identity theft. If you have identified fake IDs as a red flag, for example, you must have procedures to detect possible fake, forged, or altered identification.
An identity theft program should be appropriate to the size and complexity of the entity and the nature and scope of its activities. An SEC-regulated entity will generally qualify as a financial institution if it holds a transaction account belonging to an individual. An account may be a transaction account and therefore the entity holding the account may qualify as a financial institution if the individual account owner can personally make payments or transfers of money from his or her account to third parties, or can direct the SEC-regulated entity to make such payments or transfers to third parties.
Please see section II. An SEC-regulated entity will generally qualify as a creditor if it advances or loans money to consumers. However, an entity will not qualify as a creditor if it advances money for expenses incidental to a service provided by the entity.
A covered account is generally: 1 an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions; or 2 any other account that poses a reasonably foreseeable risk to customers of identity theft.
Please direct questions regarding small investment companies and small investment advisers to the Division of Investment Management. Please direct questions regarding small brokers or dealers to the Division of Trading and Markets. Questions may be directed to the Division of Trading and Markets by e-mail at tradingandmarkets sec.
0コメント