In an effort to combat identity theft, the Federal Trade Commission (FTC) issued new regulations in late 2007 requiring many businesses to adopt and implement certain policies and procedures. Commonly known as the Red Flags Regulations, these call for not only "financial institutions" but also certain "creditors" to institute practices to detect and respond to suspicious incidents, known as "Red Flags", in connection with all "covered accounts". Red Flags are patterns, practices or activities that indicate the possible existence of identity theft. You may not think of yourself or your business as a creditor, but it is very likely that the FTC does and thus the Red Flags Regulations apply to you.
Originally effective as of November 1, 2008, the FTC suspended enforcement of the Red Flags Regulations until May 1, 2009. This delay gives you a valuable opportunity to review and ensure that you are in compliance.
The Three Components of the Red Flag Regulations
The Red Flags Regulations are comprised of three separate rules. The most significant one, known as the "Red Flags Rule", requires covered entities to implement written identity theft prevention programs in connection with particular accounts maintained for customers, clients or patients. A second rule requires users of consumer credit reports to take certain actions if they receive a notice from a consumer reporting agency that there is a substantial discrepancy in connection with the address of the consumer for whom the credit report was requested. Finally, a third rule compels issuers of debit and credit cards to develop policies and procedures to verify the validity of a change of address request that is followed closely by a request for an additional or replacement card.
The Red Flags Rule has the broadest reach and requires the most proactive response. It is essential that businesses, including educational institutions, health care providers and professionals, take time to assess the applicability of the regulations in general, and the Red Flags Rule in particular, to their companies and practices and take appropriate steps to comply by the May 1, 2009 deadline.
Covered Entities
Are you a covered entity? The Red Flags Rule applies to "creditors" and "financial institutions" that offer "covered accounts". The breadth of the Rule comes from the very broad definition of creditors. A creditor is defined as:
- any entity that regularly extends, renews, or continues credit;
- any entity that regularly arranges for the extension, renewal, or continuation of credit; or
- any assignee or an original creditor who participates in the decision to extend, renew, or continue credit.
Your business may well be a creditor.Examples include finance companies, car dealers, mortgage brokers, utility companies, telecommunication companies, non-profit and government entities, educational institutions, health care providers and professionals that defer payment for goods or services. (Note that the mere act of accepting a credit card for payment does not in and of itself make a business a creditor for purposes of the Red Flags Rule because it is the credit card issuer who is extending the credit in that situation; you become a creditor when you are the one extending credit.)
Financial institutions are entities that hold transaction accounts that enable consumers to, among other things, write checks and make payments to third parties through alternative means, like other negotiable instruments or telephone transfers.
Covered Accounts
If you are a creditor or financial institution as described above, the Red Flags Rule only applies if you have "covered accounts". Covered accounts are those offered or maintained primarily for personal, family, or household purposes, and that allow for multiple payments or transactions. They also include other accounts offered or maintained for which there is a reasonably foreseeable risk from identity theft. Examples include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking and savings accounts, tuition, patient and customer accounts. Generally, any type of personal or household account or payment plan that involves multiple transactions or payments in arrears is likely to be considered a covered account under the Red Flags Rule.
Institution of Written Identity Theft Policies
If you are a creditor or financial institution and offer or maintain covered accounts, what do you have to do? The Red Flags Rule requires you to establish and implement a written Identity Theft Prevention Program in connection with new and existing covered accounts. While the Red Flags Rule allows some flexibility in the design of your Identity Theft Prevention Program, certain elements are mandated. In particular, your Identity Theft Prevention Program must include policies and procedures to:
- identify and incorporate relevant Red Flags for your covered accounts into your Identity Theft Prevention Program (this means you may not just take a form list of Red Flags; you must tailor them to reflect your own covered accounts);
- detect the identified relevant Red Flags;
- respond appropriately to any detected Red Flags to prevent and mitigate identity theft; and
- ensure the Identity Theft Prevention Program is updated periodically.
To aid in compliance with the Rule, the FTC has issued a nonexclusive list of 26 possible Red Flags. Examples of such Red Flags include:
- a fraud or active duty alert is included with a consumer report;
- documents provided for identification appear to have been altered or forged;
- personal identifying information provided by the customer or patient is not consistent with other personal identifying information provided by that customer or patient (for example, there is a lack of correlation between the SSN range and date of birth); and
- a covered account is used in a manner that is not consistent with established patterns of activity on the account.
You must also obtain approval of the initial Identity Theft Prevention Program from either your Board of Directors or an authorized Board committee, involve the Board or authorized Board committee or a Board designated senior manager in the development, implementation, oversight and ongoing administration of the Identify Theft Prevention Program, train staff to implement it effectively, and exercise appropriate oversight of all your service provider arrangements to ensure they are in compliance with the Red Flags Rule.
Make Sure Your Business, Educational Institution, Health Care or Professional Practice Is Ready For May 1, 2009!
Failure to comply with the Red Flags Regulations could result in civil monetary penalties, including awards of punitive damages and attorneys' fees, as well as regulatory enforcement actions. Thus, if you have not done so yet, you should evaluate your business promptly to determine if the Red Flags Regulations apply to you, and if so, develop and implement the policies and procedures you need to put in place before May 1, 2009.
This article is intended to serve as a summary of the issues outlined herein. While it may include some general guidance, it is not intended as, nor is it a substitute for, legal advice. Your receipt of Good Company or any of its individual articles does not create an attorney-client relationship between you and Sheehan Phinney Bass + Green or the Sheehan Phinney Capitol Group. The opinions expressed in Good Company are those of the authors of the specific articles.
|
