In 2007, the Federal Trade Commission (“FTC”) promulgated the “Red Flags Rule” (“Rule”) to implement the identity theft provisions of the Fair and Accurate Credit Transactions Act of 2003, Pub. Law 108-159. On April 30, 2009, the FTC announced its decision to extend the deadline for compliance with the Rule to August 1, 2009. FTC Chairman Jon Leibowitz explained: “Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further.”
Under the Rule as currently stated, financial institutions and creditors with covered accounts must implement identity theft prevention programs to identify, detect, and respond to activities that could indicate identity theft. Failure to comply with the Rule can result in regulatory enforcement action, and monetary penalties. Although the Rule does not provide for a private right of action, violation of the Rule may form the basis for claims under state law.
What businesses must comply?
The Rule applies to “financial institutions” and “creditors” with “covered accounts.” A “financial institution” is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a “transaction account” (an account from which the account holder makes payments or transfers) belonging to a consumer. 15 U.S.C. § 1681a(t). A “creditor” is broadly defined to include any entity that regularly extends or renews credit, arranges for such credit, or participates in the decision to extend or renew. See 15 U.S.C. § 1681a(r)(5). Creditors include, for example, finance companies, automobile dealers, mortgage brokers, utility companies, telecommunications companies, and retailers that offer credit to customers or that arrange for extension of credit to customers including other businesses. Essentially, any business that provides goods or services to consumers for which it does not receive immediate payment may fall within the definition of “creditor.”
If a business falls within the definition of “financial institution” or “creditor,” then the Rule applies if they have any “covered accounts.” There are two types of covered accounts. First, consumer accounts used primarily for personal, family, or household purposes, and that involve multiple payments or transactions are covered accounts. 16 C.F.R. § 681.2(b)(1). Examples include credit card accounts, mortgage loans, automobile loans, cell phone accounts, utility accounts, and bank accounts. Second, any type of account that a financial institution or creditor offers for which there is a reasonably foreseeable risk to customers or to the institution from identity theft. Such risk includes financial, operational, compliance, and litigation risks. These types of accounts may include small business and sole proprietorship accounts.
What Does the Rule Require?
The Rule requires each financial institution and creditor that holds any covered account to develop, implement and administer an Identity Theft Prevention Program (“ITPP”) for combating identity theft for these accounts. The TIPP must include four elements: (1) reasonable policies and procedures to identify “red flags” (suspicious patterns or practices that indicate the possibility of identity theft); (2) procedures for detecting red flags; (3) identification of appropriate actions to take in response to red flags to prevent and mitigate identity theft; and (4) a mechanism for periodically updating the program to reflect changes in risks. The board of directors or a committee of the board must approve the TIPP. The TIPP must identify who will administer the program and provide for employee training.
The FTC has identified a four-step process for complying with the Rule:
Step 1: Identify the Relevant Red Flags.
The first step is to identify relevant patterns, practices, and specific forms of activity that are red flags signaling possible identity theft and incorporate those red flags into the ITPP. See 16 C.F.R. § 681.2(b)(9). There is no laundry list of red flags applicable to all companies or all accounts. Rather, the red flags may be different for each company and for each type of account. However, the FTC has identified general categories of red flags that companies should consider including in their ITPP.
Step 2: Develop Procedures for Detecting Red Flags.
The second step is to develop procedures for detecting red flags in the course of normal operations. The procedures may be different for new accounts versus existing accounts. For existing accounts, the company must develop procedures for authenticating customers and monitoring transactions. These include the use of passwords, PIN numbers, smart cards, tokens, and biometric identification. For new accounts, the company must determine what type of information and documentation customers must provide to open an account. In addition, the company must determine what kind of verification of the information it will conduct.
Step 3: Prevent and Mitigate Identity Theft.
After the red flags are identified and procedures are implemented, the company must identify potential identity theft and mitigate its effects. The particular action that a company should take will depend on the circumstances. However, the FTC guidelines to the Rule identify some of the types of responses, including: monitoring a covered account for evidence of identity theft; contacting the customer; changing passwords, security codes, or other ways to access an account; closing an account; or determining that no action is required.
Step 4: Maintain and Update the TIPP.
The Rule recognizes that the TIPP may need to be changed as technology changes. In addition, changes in how identity thieves operate, changes in the methods of identifying and detecting identity theft, changes in accounts offered, and changes in corporate structure (such as mergers and acquisitions) may each require modification of a company’s TIPP.
This Client Alert has been prepared by Lewis and Roca LLP for informational purposes only and is not legal advice. Readers should seek professional legal advice on matters involving these issues.
View the entire client alert in PDF format here.