Get your practice ready for the “Red Flags Rule”
This year, many veterinary practices will be required to comply with the federal “Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003,” otherwise know as the “Red Flags Rule.” A Federal Trade Commission website helps explain the rule –designed to fight identity theft – and lays out the terms under which a business would need to follow it.
Under the rule, which exists on the books now but will not be enforced until May 1, businesses that qualify as “creditors” and have “covered accounts” must develop and implement identity theft prevention programs.
Accepting credit cards as payment does not necessarily qualify a business as a” creditor” under the rule, but businesses that bill consumers after services are provided are considered creditors.
“A creditor is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit,” the FTC site says.
The other part of determining whether you are subject to the rule is to see if you have “covered accounts.” According to the rule, a covered account is “(1) an account primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, or (2) any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft.”
If your practice qualifies under these definitions, you must comply with the rule and create a red flag program. According to the FTC, the main things to keep in mind when designing a program are:
- Identify relevant red flags
- Detect red flags
- Prevent and mitigate identity theft
- Update your program periodically
The rule contains guidelines for setting up a program, but does not tell you specifically what to include. However, it does require the program to address certain categories of red flags or warning signs that must be covered in the program. Specifically:
- alerts, notifications, or warnings from a consumer reporting agency
- suspicious documents
- suspicious personally identifying information
- suspicious activity relating to a covered account
- notices from customers, victims of identity theft, law enforcement authorities, or other entities about possible identity theft in connection with covered accounts
For questions about compliance or about the rule, e-mail [email protected].