The Federal Trade Commission (FTC) will begin enforcement of its identity theft red flags rule on November 1, 2009. The rule covers a surprisingly broad number of businesses that the FTC defines as a creditor. Any business that bills customer accounts after products or services are provided is defined as a creditor under the FTC's rules and must comply with the rule by the deadline.
The FTC Red Flags rule[i] was issued almost two years ago, became effective on January 1, 2008, and will be enforced starting November 1 of this year. The rule requires certain businesses and organizations to spot and address telltale patterns, practices, or specific activities that indicate the possible existence of identity theft. The FTC, federal bank regulatory agencies, and the National Credit Union Administration (NCUA) will enforce the rule - which requires companies that are creditors or financial institutions to develop a written "red flags program" to prevent, detect, and minimize the damage from identity theft. The rule's surprisingly broad definitions, particularly of "credit" and "creditor", mean many businesses, must comply with the rule or be subject to fines.
Who Is Covered
The rule applies to creditors and financial institutions that maintain covered accounts. An account is a continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes.[ii] The rule applies to accounts that are covered accounts. The FTC's definitions of creditor, credit, and covered account are very broad, however and many businesses may be unaware that they are creditors, extending credit and maintaining covered accounts, and that the rule therefore applies to them.
- Creditor is defined as any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit[iii]. Some obvious examples of creditors are finance companies, automobile dealers, mortgage brokers, utility companies, telecommunications companies, and non-profit and government entities that allow deferrals of payments for goods or services.
- Credit is defined as an arrangement by which debt payments are deferred or deferred payments are accepted for the purchase of property or services[iv] — that is, payment is made after the product was sold or the service was rendered. The determination of creditor status and credit appear to turn on the timing of the billing for the goods or services provided. If services or goods are billed after they are provided, the rule may apply if the creditor holds a covered account. If payment is due prior to or at the time when the goods are supplied or the services are performed, application is unlikely. For example, health club membership dues payable by the first of the month for the current month do not establish a credit relationship. The fact that some such payments may become delinquent does not render the health club a creditor under the rule, nor does the acceptance of credit cards as a form of payment.
- Covered account There are two types of covered accounts: 1) an account used mostly for personal, family, or household purposes that involves multiple payments or transactions, examples of which include credit card accounts, mortgage loans, car loans, margin accounts, cell phone accounts, utility accounts, and checking or savings accounts; or 2) an account for which there is a foreseeable risk of identity theft. Examples of the second category include accounts maintained by small businesses and sole proprietorships, or single transaction consumer accounts. Consumer accounts designed to permit multiple payments or transactions are always covered accounts, but the other type of account is a covered account only if the risk of identity theft is reasonably foreseeable. In determining whether the risk is foreseeable, financial institutions and creditors should consider the risks associated with how the accounts may be opened or accessed — i.e., what type of interaction and documentation is required — as well as the entity's experience with identity theft.
- Financial institution is defined as a bank, savings and loan, credit union, or other entity that holds a transaction account belonging to a consumer.[v] A transaction account is a deposit or account from which the depositor or account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar means for the purpose of making payments or transfers to third parties and includes demand deposits, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.[vi] The rule applies if the financial institution holds a transaction account that is also a covered account.
Elements of a Compliant Plan
Creditors and financial institutions with covered accounts must comply with the rule by developing and administering a written red flags program. The FTC has published a "do-it yourself" prevention program for businesses and organizations at low risk for identity theft[vii]. For those who do not qualify as low risk, there is no model form or template, but there is guidance as to the elements of a written program. Compliance for higher risk entities requires the following actions as part of a red flags program:
Identify relevant red flags The program must identify and address the following categories of warning signs, with due consideration for the nature of the business and the type of identity theft to which the organization might be vulnerable:
- alerts, notifications, or warnings from a consumer reporting agency;
- suspicious documents;
- suspicious personally identifying information;
- suspicious activity relating to a covered account; or
- notices from customers, victims of identity theft, law enforcement authorities, or other entities about possible identity theft in connection with covered accounts.
1. Detect Once the red flags are identified, policies and procedures must be established to detect them in day-to-day operations.
2. Prevent and mitigate identity theft The written program must include appropriate responses to red flags, including monitoring or closing an account, not opening a new account, contacting the consumer when a red flag is detected, or a combination of the foregoing.
3. Periodically update Since identity theft threats change, the program must describe how it will be updated to ensure consideration of new risks and trends.
Each creditor or financial institution required to implement a program must provide for the continued administration of the program and must: (1) obtain approval of the program from either the entity's board of directors or an appropriate committee of the board of directors; (2) involve the board of directors, an appropriate committee, or a designated employee at the level of senior management in the oversight, development, implementation, and administration of the program; (3) train staff, as necessary, to effectively implement the program; and (4) exercise appropriate and effective oversight of the program, its implementation and its administration.
With the enforcement deadline looming, businesses need to make decisions on the applicability of the rule immediately. If a red flags program is required, businesses must develop, adopt, and implement their program in accordance with the rule. Resources to assist businesses with their red flags programs are available on the FTC website, including Fighting Fraud With The Red Flags Rule: A How-To Guide For Business.[viii]
[ii] 15 U.S.C. § 1693a(2).
[iii] 15 U.S.C. § 1§ 1681a(r)(5); 15 U.S.C. § 1691a(e).
[iv] 15 U.S.C. § 1681a(r)(5); 15 U.S.C. § 1691a(d)
[vi] 12 U.S.C. § 461(b)(1)(C).