With the signing of legislation on 12/18 exempting certain health care  practitioners and other businesses from complying with the Red Flags Rules, it would seem to clear the way for enforcement to begin at the end of this month.  Financial institutions have had to comply with the guidelines since 1/1/2008, but regulatory enforcement has been delayed several times as organizations representing attorneys and physicians lobbied to exempt these professionals from complying.

A Red Flag is defined by the FTC as “…a pattern, practice, or specific activity that indicates the possible existence of identity theft.”  Financial institutions are expected to already have established a formal Identity Theft Prevention Program that contains reasonable policies and procedures to:

• Identify
• Detect, and
• Respond…

…to any Red Flags that might indicate the presence of ID theft.  You must also have a process in place for administering the program, which includes involving the Board and senior management, training your staff, and the appropriate oversight of service providers.

Expect examiners to ask to review your ID Theft Program in your next examination, and request that your next audit include a review as well.