In November 2007, as part of its implementation of the Fair and Accurate Credit Transactions Act of 2003, the Federal Trade Commission (FTC) released a set of regulations, commonly called the "Red Flag Rules" requiring certain entities to develop and implement policies and procedures to protect consumers from identity theft. While the rule was originally scheduled to go into effect on November 1, 2008, advocacy efforts by some medical associations resulted in a six month delay in enforcement until May 1, 2009. The Red Flag Rules are very broad, with the FTC estimating that millions of businesses and organizations nationwide fall under the Rules.
The Red Flag Rules first and foremost apply to financial institutions, such as banks and lenders. However, the Rules also apply to "creditors," a term that includes "any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit." The FTC takes an extremely broad view of the term. Businesses and organizations that provide goods or services "now" and bill their customers "later" are covered under this definition. Utility companies, health care providers, and cable and telephone companies are just a few examples of the types of businesses that must comply with the Rules. In addition, businesses that grant loans, arrange for loans or the extension of credit, or make credit decisions are also considered "creditors." Examples include finance companies, mortgage brokers, real estate agents, automobile dealers, and retailers that offer financing or help consumers get financing from others (for example, by processing credit applications). Under the Red Flag Rules, once an entity is found to be a "creditor," the next question is whether it maintains "covered accounts." As defined in the regulations, a "covered account" is: (1) an account, for personal, family, or household purposes, that permits multiple payments or transactions; or (2) any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft. The Red Flag Rules are limited to accounts relating to individual consumers. A company that deals only with other businesses does not have to comply with the Red Flag Rules. Just like the definition of "creditor," the definition of "covered account" is broad. If you are a creditor and maintain accounts for individual consumers, you must comply with the Red Flag Rules.
"Red Flags" include all potential patterns, practices, and activities that indicate the possibility of identity theft. There is no definitive list of Red Flags. Anything that raises the suspicion of identity theft qualifies. Red Flags include: (1) suspicious documents; (2) suspicious personal identifying information; (3) suspicious activity relating to an account; (4) notices from customers, victims of identity theft, or law enforcement, and (5) alerts, notifications, or warnings from a consumer reporting agency. For example, a phone call from a customer concerning a item or service that the customer denies receiving, identification that looks altered or forged, and mail sent to a customer that is repeatedly returned as undeliverable are all Red Flags. Under the Red Flag Rules, you are supposed to detect those signals and take appropriate action in response.
Creating a Red Flag Rules compliance plan has several steps. First, you will need to engage in a risk assessment to identify what Red Flags you are likely to encounter at your business. Second, you must train your staff to identify those Red Flags and to be vigilant for their occurrence. Third, you must draft and implement procedures to respond to Red Flags when they appear. Finally there is an ongoing obligation to periodically review and update your entire Red Flag program. The Red Flag Rules require that policies and procedures be "reasonable" for each given business, which means that you have the flexibility to tailor your policies to your specific experiences and circumstances and your perceived risk of identity theft. For example, it would not be reasonable for most businesses to conduct background checks on their customers. On the other hand, it would be reasonable for many businesses to require photo identification for credit transactions and to make sure that the identification matches the individual and appears to be genuine. How vigorously the FTC will enforce the Red Flag Rules remains to be seen. However, because the possible penalties include thousands of dollars in civil fines, compliance should not be taken lightly.
In order to assist businesses in responding to the Red Flag Rules the FTC published a Red Flag How-To Guide for Business, which may be found at www.ftc.gov/redflagsrule
If you have questions about the Red Flag Rules or would like assistance in your compliance efforts, please contact Alex W. Thomson.