In addition to the statutes and regulations specific to certain industries (primarily health care), a new regulation has been issued that applies to a wide range of businesses. Known as the Red Flags Rule, the regulation goes into effect on June 1, 2010 and will be enforced by the Federal Trade Commission (FTC), all federal bank regulatory agencies and the National Credit Union Administration. On May 28, 2010, the FTC announced that it was delaying enforcement of the Red Flags Rule until December 31, 2010.
The Red Flags Rule requires that all organizations subject to the Fair and Accurate Credit Transactions Act of 2003 (FACTA) develop and implement a formal, written and revisable "Identity Theft Prevention Program" to detect, prevent and mitigate identity theft.
This new regulation applies to financial institutions and creditors with so-called "covered accounts," which include such things as credit card accounts, mortgage loans, auto loans, margin accounts, cell phone accounts, utility accounts, checking accounts and most types of savings accounts. In fact, any account for which there is a foreseeable risk of identity theft is a covered account under the Red Flags Rule. "Financial institution" is defined broadly as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a transaction account belonging to a consumer. A "transaction account" is considered a deposit or other account from which the owner makes payments or transfers, including checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.
What makes the Red Flags Rule so sweeping, however, is its applicability to "creditors," which are defined as any entity with covered accounts that regularly extends, renews or continues credit; any entity that regularly arranges for the extension, renewal or continuation of credit; or any assignee of an original creditor that is involved in the decision to extend, renew or continue credit.
Accepting credit cards as a form of payment, by itself, does not make an entity a creditor. The range of businesses that fall within the scope of this definition, however, is enormous and includes finance companies, automobile dealers, mortgage brokers, utilities and telecommunication companies. The FTC has argued that law firms are also creditors for purposes of the Red Flags Rule, but the Federal District Court in Washington, D.C., ruled otherwise in early 2010. The FTC recently announced that it will appeal that decision.
Even not-for-profit organizations and government entities are not exempt. If they defer payment for goods or services, they will be treated as creditors for purposes of the Red Flags Rule.
To comply with this sweeping legislation, businesses must develop a written program that identifies and detects the warning signs of identity theft. These "red flags" fall into five general categories:
- Alerts, notifications or warnings from a consumer reporting agency
- Suspicious documents
- Suspicious personally identifying information, such as a suspicious address
- Unusual use of or suspicious activity relating to a covered account
- Notices from customers, victims of identity theft, law enforcement authorities or other businesses about possible identity theft in connection with covered accounts
The written program must describe appropriate responses that would prevent and mitigate identity theft, and detail a plan to update the program. Furthermore, it must be managed by the business' board of directors (or senior employees in the case of a financial institution or creditor), include appropriate staff training, and provide for oversight of any service providers used by the business.
Many businesses already have general risk policies and procedures in place, but even those may not pass muster under the Red Flags Rule. In fact, the final regulation requires a separate Identity Theft Prevention Program, although it can reference other policies and procedures already in place to avoid unnecessary duplication.
The Red Flags Rule does not require businesses to be perfect in order to be in compliance. If the FTC or other governing agency raises an issue, the business will have an opportunity to show that it made a "reasonable effort" to comply with the regulation. Failure to comply may result in agency-imposed sanctions. Of even greater concern, however, is the risk associated with lawsuits that could result from failing to comply, as well as damage to the business' reputation.
For general information about the Red Flags Rule, visit the news section of the FTC's website and its How-To Guide for Business. For legal advice regarding your particular situation, businesses should consult with their attorneys.