As of November 1, 2009, financial institutions and other creditors, including insurance companies, must be in compliance with the Red Flag provisions of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). In fact, this November 1st deadline represents a reprieve that the Federal Trade Commission granted to allow institutions more time to achieve compliance. The Red Flag rules are designed to mitigate and prevent identity theft, which is defined as any fraud that involves obtaining benefits, especially financial, by pretending to be someone else. Since many consumers have insurance benefits, compliance with the mandates is crucial for insurance companies.

The Red Flag rules are broad in scope, defining financial institutions as any organization engaged in banking, insurance or similar activities, and many of the definitions within the new rules could greatly expand compliance demands. Organizations that offer covered accounts—any consumer account involving multiple payments or transactions—are subject to the provisions. Insurance companies continue to evolve, offering more traditional financial services and investment products. With the vast amount of personal information that is stored electronically, it is absolutely critical that the industry take the Red Flag rules seriously and that companies implement thorough and effective compliance programs.

The rules state that, in order to be compliant, any “financial institution and creditor that holds any customer account, or other account, for which there is a reasonable, foreseeable risk of identity theft” must develop an identity theft prevention program. There are four principal components:

In addition to the four principal components above, the Red Flag provisions state that an institution’s identity theft prevention program must be written and managed by the board of directors or senior company management. Training for all appropriate staff members and proper oversight of service providers must be given.