The Federal Trade Commission’s (FTC) Red Flags Rule has an enforcement deadline of December 31, 2010. The Rule mandates that all financial institutions and creditors with covered accounts create programs that protect against the defrauding and identity theft of their customers. All companies should be aware of this rule as the FTC has taken a very broad definition of “creditors.” Creditors are all persons or businesses that regularly extend, renew, arrange for or continue credit, or participate in credit decisions. This broad definition arguably includes any business that accepts payment for services after the services have been rendered.
Who is Covered by the Rule?
The Red Flags Rule covers financial institutions and creditors. Financial institutions include banks, mutual funds that offer accounts with check writing or debit card privileges, and persons holding transaction accounts belonging to consumers. Creditors, as mentioned above, are persons and businesses that operate with credit. The definition of “creditor” is broad, and arguably extends to any entity that allows customers to pay via credit. For example, a trade association that allows members to stall or delay the payment of dues but still provides that member with membership services may fall within the definition of “creditor.”
Both creditors and financial institutions must comply with the Red Flags Rule with regard to their “covered accounts.” A covered account is, typically, a consumer account, but may include other accounts that carry a risk of identity theft or fraud. For financial institutions and creditors with covered and non-covered accounts, they must analyze all accounts to determine which accounts fit within the purview of the Rule. The FTC’s main focus is on accounts that carry a high risk of identity theft.
Some controversy surrounded the fact that the FTC’s definition of “creditors” initially included law firms, health care providers, and accountants. The FTC delayed enforcement against the above listed entities while awaiting the outcome of pending and appealed litigation as well as congressional legislation. Recently, the Senate and the House of Representatives passed legislation limiting the coverage of the Red Flags Rule and excluding lawyers, doctors, accountants, and other health care and service providers that do not offer or maintain accounts with a high-risk of identity theft. There is still, however, pending legislation to exempt from the rule businesses that apply for exemption and are low-risk entities such as small businesses that know all of their customers, businesses that typically perform services within the home, and those that have experienced very few incidents of identity theft. Such entities are, however, urged to create simple procedures in compliance with the Rule unless they are granted such an exemption.
What Does the Red Flags Rule Require?
The Red Flags Rule requires financial institutions and creditors with covered accounts to implement procedures to combat identity theft and fraud. To do so, covered entities should take the following steps:
- Identify areas in your business that are susceptible to identity theft (i.e., Red Flags) with regard to covered accounts;
- Design internal procedures for detecting and responding to Red Flags;
- Have the initial program approved by the board of directors or, if there is no board, senior management;
- Annually--or more often if necessary--review and update the program; and
- Document the program.
The focus of the Rule is on the program. The FTC does not expect covered entities to eradicate identity theft overnight, but it does expect them to create a program with steps calculated to prevent fraud and identity theft. In designing a program, high risk entities should thoroughly review all of their policies, procedures, and activities to identify instances where identity theft may become an issue. Financial institutions may, for example, have multiple passwords and identity questions to verify user identities for online banking or put procedures in place to protect accounts when uncharacteristic purchases are made. Other organizations that maintain covered accounts and personally identifiable information (PII) should consider encrypting their hard drives and double-password protecting computers—one to unlock the hard drive and the second to unlock the user’s settings.
Along the line of password protections, companies with covered accounts should be very careful with mobile devices. All mobile devices should carry a password. Passwords should be changed frequently and made up of numbers and characters that are not easily determined. Some entities use special tokens, with random passwords inscribed, and programs that require token passwords to generate codes used to log in to systems that hold PII.
It is also advised that all unnecessary PII be destroyed. Additionally, every entity subject to the Rule should require any service provider with whom it works to implement appropriate identity theft protection procedures and include a contract provision regarding such requirement. And, as mentioned, low-risk entities must also comply with the Rule, but their procedures will be far less stringent. Low-risk entities should see the FTC’s online template for guidance.