Identify types of suspicious behavior.
Although red flags differ among businesses and industries, the following types of red flags are common to most small businesses:
A customer reports that they have seen suspicious activity in one of their accounts.
A customer opens a new account that contains suspicious elements.
A customer presents you with suspicious documents (e.g., altered ID card, different addresses on different forms of ID, a PO Box as a home address).
You (or your employees) notice unusual activity relating to a customer's account.
Develop policies that will detect suspicious events early — and train your employees.
Policies will differ depending on your business and your industry, but the following are examples of ways you can train your employees, which will become the basis for your Red Flags Policy:
Train about types of red flags they might see when a customer opens an account.
Train about types of red flags they might see when a customer orders a product/service.
Train about types of red flags they might see on an existing account.
Respond to suspicious behavior.
Here are some possible action plans, depending on the circumstances:
Report the red flag event to the police or to other law enforcement agencies, such as the Federal Trade Commission or your state attorney general's office.
If the red flag involves Internet sales you can report the event to the FBI's Internet Crime Complaint Center www.ic3.gov.
Alert your customer that suspicious behavior has been observed on their account.
Refuse to complete a transaction until the suspicious event can be explained.
Request that your customer provide additional documentation to verify that they are who they say they are.
Request that your customer explain the suspicious activity.
Write it down.
Develop a written policy and update it periodically — at least once a year.
Share your policy with all of your employees, and use it to help train them on how to detect and respond to identity theft.