On October 22, the Federal Trade Commission (FTC) announced that it will "suspend enforcement" until May 1, 2009 of the "Red Flags Rule," previously scheduled to begin on November 1. The delay reflected FTC recognition that "some industries and entities within the FTC's jurisdiction" had not become aware of the impending requirements in time to come into compliance. The delay is designed to "enable these entities sufficient time to establish and implement appropriate identity theft prevention programs." Now is the time to consider whether your company may be one of those entities.
Under the Red Flags Rule (16 CFR Part 681), every "financial institution" or "creditor" with "covered accounts," and which is subject to the jurisdiction of the FTC, federal bank regulatory agencies or the National Credit Union Administration, is required to have in place a written program that provides for the identification, detection and response to patterns, practices or specific activities—known as "Red Flags"—that could indicate identity theft. A worthy goal, to be sure, but somewhat daunting for those entities that must comply.
Unclear but Broad Coverage
The FTC and the other agencies involved published extensive regulations and comments, some 60 pages worth, last year, but compliance does not appear to be a simple matter. For example, in order to determine who a "creditor" is, the definitions section in § 681.2(b)(5) of the FTC's Red Flags regulations refers the reader to 15 U.S.C. § 1681a(r)(5), which, in turn, sends the reader to 15 U.S.C. § 1691a. Once there, a "creditor" is broadly defined as "any person who regularly extends, renews or continues credit." The regulations specifically mention banks, automobile dealers, mortgage brokers, utility companies and telecommunications companies, but obviously there are many more. Similarly, "covered accounts" are broadly defined to mean "[a]n account that a financial institution or creditor offers or maintains, primarily for personal, family or household purposes, that involves or is designed to permit multiple payments or transactions." In short, any entity that extends consumer credit for goods or services may be covered.
Under the Red Flags regulations, creditors must develop a written program that identifies and detects the relevant warning signs of identity theft. The written program also must describe appropriate responses that would prevent the illegal activity and describe in detail a plan to update the program, which must be managed by the board of directors or senior management of those entities that must comply.
In an effort to assist covered entities in setting up their programs, the FTC issued supplemental guidelines identifying 26 possible "Red Flags" as "illustrative examples." According to the guidelines, these examples fall into five categories:
- Alerts, notifications or warnings from a consumer reporting agency;
- Suspicious documents;
- Suspicious personally identifying information, such as a suspicious address;
- Unusual use of, or suspicious activity relating to, a covered account; and
- Notices from customers, victims of identify theft, law enforcement authorities or other businesses about possible identity theft in connection with covered accounts.
Even after a close reading of the regulations and Guidelines (and supplemental Guidelines), it is far from clear how a written program can be developed so as to be in compliance. In June 2008, the FTC issued an alert stating that "more detailed compliance guidance on the Red Flags Rules will be forthcoming." When issued, such additional guidance will be most welcome.