red flags rule

Protect your customers and your business by adhering to the Red Flags Rule. Here’s how to stay compliant.

Identity theft. It’s one of the most stressful situations you can find yourself in, mainly because there are so many unknowns. It’s also an unfortunate part of the world we live in, and businesses bear a significant burden in ensuring their customers’ personal information remains protected. That’s why the Federal Trade Commission (FTC) developed and implemented the Red Flags Rule to reduce identity theft.

You may know this rule as one of the Fair Credit Reporting Act’s Identity Theft Rules, and the FTC states that the rule is in the Code of Federal Regulations as “Detection, Prevention, and Mitigation of Identity Theft.”

Red Flags Rule now falls under the jurisdiction of the Securities and Exchange Commission (SEC), and specifically addresses issues related to identity theft. In short, the rule requires businesses that collect sensitive information from customers, such as social security numbers, to have a written identity theft protection program in place to help detect warning signs, or “red flags,” that may indicate an instance of attempted identity theft before things get out of control.

Complying with the Red Flags Rule isn’t difficult. Still, it is critical to ensure the security of your customers and the security of your business since failure to comply can result in fines and other penalties. Our goal is to help you understand the essential elements of the rule and how you can best ensure that your business follows the most current regulations.

The four elements of the Red Flags Rule that you need to know

Red Flags Rule policies vary from business to business, depending on their size and risk level, but they all must address four primary areas.

The first is to identify relevant red flags for your business. A simple example for a car dealership is a piece of identification (i.e., driver’s license) that appears to be fake. Other red flags might be alerts from credit checks, other false documents, suspicious account activity, or receiving a notice of potential identity theft from a customer, business, or law enforcement agency.

Once you’ve identified all possible red flags, the rule then requires you to implement a program or process to detect them. For example, you might implement technology to verify the authenticity of someone’s personal documents, or you might put a procedure in place to regularly review account activity.

Next, a Red Flags Rule program must spell out how your business will respond to detected threats, whether or not confirmed. This can include anything from shutting down suspicious accounts to notifying customers to contacting law enforcement agencies. Your business’s response practices are primarily dependent on how much risk is associated with the detected red flag and are often commensurate with the seriousness of the warning sign.

Finally, a compliant program must outline how you plan to keep it current to ensure the greatest likelihood that you’ll detect new threats, especially as identity thieves continue to evolve and scheme new ways to get at personal information.

How to administer the program

Once you’ve written your Red Flags Rule program, you’ll need to have it approved by a senior member of the business (if that’s not you). If your company has a Board of Directors, they must approve the initial plan. Then, either the senior employee or the Board, whichever is relevant to your business, is responsible for overseeing the program. Whoever is responsible can delegate tasks to get the program started, but they are ultimately accountable for its success or failure. The person responsible for the program will also need to regularly review business activities to ensure compliance and must also stay on top of changes to the Red Flags Rule and related regulations, updating your business’s written policy as necessary.

It’s also a good idea for the person who oversees the program to report to senior management or the Board at least once a year with insights into the effectiveness of the program and suggestions for any changes.

Employee training for your dealership

The Red Flags Rule requires that you train your staff “as necessary,” so you may not need to invest time in educating your entire team. (If you have someone in marketing, for example, they likely won’t need to be trained as they generally don’t handle or process sensitive information.) However, when it comes to identity theft, the more eyes you have looking out, the better. If all of your employees are trained to spot fraudulent activity, it’s more likely that you’ll detect issues before they become significant problems.

Penalties for non-compliance

While no regulatory agency conducts regular audits on Red Flags Rule programs, the SEC could launch an investigation into your business should a problem arise. If you’re found to be non-compliant, you could be fined $3,500 for each violation—a penalty that can add up since multiple infractions may be found with a single program. To avoid unintentional penalties, you may wish to consult legal counsel before finalizing your business’s plan and conduct regular internal audits on your program to ensure continued compliance.

Of course, one easy way to track compliance is through an automotive management software designed specifically for the automotive industry.

  • Interested in an Affordable, Full-Featured Auto Dealer CRM?

    Schedule an AutoRaptor Demo Now!