WD&W is there for us when we need them and has been great partners with us for decades.

CHARLES RINNE, Concord Reserve Lutheran Home

Is My NFP Required to Have an Identity Theft Prevention Program

The “Red Flags Rule," established by the Federal Trade Commission (FTC), requires certain businesses  to establish a formal, written Identity Theft Prevention Program focused on detecting red flags of possible identity theft in a business’s daily operations. The rule also requires companies to take steps to prevent the crime and mitigate the damage it inflicts.

If your not-for-profit (NFP) offers installment plans or provides goods and/or services then bills  customers later, you are a creditor under the rule and required to have an Identity Theft Prevention Program. This rule applies specifically to clubs, associations, and other non-profit organizations that allow people to pay dues or pledges in installments; hospitals or clinics that do not require full payment at discharge; and colleges, universities and schools that do not require full tuition payment at the time of enrollment.

The "Red Flags Rule" is a part of the Fair and Accurate Credit Transactions (FACT) Act and has four major parts that your organization must comply with:

  • It must include reasonable policies and procedures to identify the red flags of identity theft you may run across in the day-to-day operation of your business.
  • It must be designed to detect the red flags you have identified.
  • It must delineate appropriate actions you will take when you detect red flags.
  • It must address how you will monitor and re-evaluate your program periodically to reflect new risks from time to time.

So what IS a "Red Flag"?

Red flags are potential patterns, practices or activities indicating the possibility of identity theft. The FTC lists the following as examples of red flags: alerts, notifications and warnings from a consumer reporting agency in response to a credit check; a credit application with inaccurate or incomplete information; suspicious documentation, such as inconsistent personal information, address changes or nonexistent social security number.

The FTC believes this rule to be so important that it must be dealt with at the board of directors’ level. The board (or, lacking a board, a member of senior management) must approve the initial plan and review it on at least an annual basis.

An incident of identity theft could be damaging to an organization in two significant ways.  It could:

  • Damage your reputation.
  • Carry significant fines.

Maximum penalties are $3,500 per violation, and the maximum statutory penalty per violation for certain rules can be up to $16,000.  Continued violation allows the FTC to file a lawsuit in federal court, increasing penalties for each violation and equitable relief.

For more information, talk to one of the members of our NFP group.