Advertisement

April 17, 2014

FTC Announces that it is Delaying Enforcement of the Red Flags Rule until December 31, 2010

In addition to the statutes and regulations specific to certain industries (primarily health care), a new regulation has been issued that applies to a wide range of businesses. Known as the Red Flags Rule, the regulation goes into effect on June 1, 2010 and will be enforced by the Federal Trade Commission (FTC), all federal bank regulatory agencies and the National Credit Union Administration.   On May 28, 2010, the FTC announced that it was delaying enforcement of the Red Flags Rule until December 31, 2010.

The Red Flags Rule requires that all organizations subject to the Fair and Accurate Credit Transactions Act of 2003 (FACTA) develop and implement a formal, written and revisable "Identity Theft Prevention Program" to detect, prevent and mitigate identity theft.

This new regulation applies to financial institutions and creditors with so-called "covered accounts," which include such things as credit card accounts, mortgage loans, auto loans, margin accounts, cell phone accounts, utility accounts, checking accounts and most types of savings accounts. In fact, any account for which there is a foreseeable risk of identity theft is a covered account under the Red Flags Rule. "Financial institution" is defined broadly as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a transaction account belonging to a consumer. A "transaction account" is considered a deposit or other account from which the owner makes payments or transfers, including checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.

What makes the Red Flags Rule so sweeping, however, is its applicability to "creditors," which are defined as any entity with covered accounts that regularly extends, renews or continues credit; any entity that regularly arranges for the extension, renewal or continuation of credit; or any assignee of an original creditor that is involved in the decision to extend, renew or continue credit.

Accepting credit cards as a form of payment, by itself, does not make an entity a creditor. The range of businesses that fall within the scope of this definition, however, is enormous and includes finance companies, automobile dealers, mortgage brokers, utilities and telecommunication companies. The FTC has argued that law firms are also creditors for purposes of the Red Flags Rule, but the Federal District Court in Washington, D.C., ruled otherwise in early 2010. The FTC recently announced that it will appeal that decision.

Even not-for-profit organizations and government entities are not exempt. If they defer payment for goods or services, they will be treated as creditors for purposes of the Red Flags Rule.

To comply with this sweeping legislation, businesses must develop a written program that identifies and detects the warning signs of identity theft. These "red flags" fall into five general categories:

  • Alerts, notifications or warnings from a consumer reporting agency
  • Suspicious documents
  • Suspicious personally identifying information, such as a suspicious address
  • Unusual use of or suspicious activity relating to a covered account
  • Notices from customers, victims of identity theft, law enforcement authorities or other businesses about possible identity theft in connection with covered accounts

The written program must describe appropriate responses that would prevent and mitigate identity theft, and detail a plan to update the program. Furthermore, it must be managed by the business' board of directors (or senior employees in the case of a financial institution or creditor), include appropriate staff training, and provide for oversight of any service providers used by the business.

Many businesses already have general risk policies and procedures in place, but even those may not pass muster under the Red Flags Rule. In fact, the final regulation requires a separate Identity Theft Prevention Program, although it can reference other policies and procedures already in place to avoid unnecessary duplication.

The Red Flags Rule does not require businesses to be perfect in order to be in compliance. If the FTC or other governing agency raises an issue, the business will have an opportunity to show that it made a "reasonable effort" to comply with the regulation. Failure to comply may result in agency-imposed sanctions. Of even greater concern, however, is the risk associated with lawsuits that could result from failing to comply, as well as damage to the business' reputation.

For general information about the Red Flags Rule, visit the news section of the FTC's website and its How-To Guide for Business. For legal advice regarding your particular situation, businesses should consult with their attorneys.

About the Author

Principal

Neil B. Posner, Chair of the firm's Policyholders' Insurance Coverage practice group, focuses his legal practice in the area of insurance coverage, with specific emphasis on insurance recovery and dispute resolution, risk management, loss prevention and cost containment. His clients include a range of public and private companies, organizations, boards of directors, individual officers and other policyholders.

312-521-2623

Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 4700 Gilbert Ave. Suite 47 #230 Western Springs, IL 60558  Telephone  (708) 357-3317 If you would ike to contact us via email please click here.