The mandatory compliance date of Aug. 1, 2009, has finally arrived for implementing the Identity Theft Red Flags Rule, issued by the Federal Trade Commission ("FTC") and federal banking regulators pursuant to the Fair and Accurate Credit Transactions Act.

The Red Flags Rule requires "financial institutions" and "creditors" that hold "covered accounts" to develop and implement a written Identity Theft and Prevention Program. The program must provide for identification, detection and response to patterns, practices, or specific activities - known as "red flags" - that could indicate identity theft. The FTC delayed enforcement of the Red Flags Rule twice due to confusion and uncertainty about who, precisely, is covered by the rule.

For purposes of the rule, a "financial institution" includes a bank, savings association, and credit union, and any person that directly or indirectly holds a transaction account belonging to a consumer. A "creditor" is any entity that regularly extends or renews credit or arranges for others to do so and includes all entities that regularly permit deferred payment for goods and services. The broad scope given to the term includes entities that have not previously considered themselves creditors, nor previously been under the jurisdiction of the FTC. Entities subject to the rule include those that permit payment after products are sold or services rendered, which may encompass entities such as health care providers, other professional services vendors, non-profit organizations, as well as retailers and a wide range of businesses that invoice their customers.

Once the determination is made that the entity is a financial institution or creditor, a decision must then be made about whether it possesses a "covered account." The term "covered account" encompasses two types of accounts: one is an account maintained primarily for personal, family or household purposes that involves or is designed to permit multiple payments or transactions; and the second includes any other account for which there is a foreseeable risk of identity theft. This second type is a risk-based definition and each creditor must make its own determination on whether its accounts meet the definition. FTC's guidance on the second type of account provides that the entity should conduct a risk evaluation that considers the methods it employs to open its accounts, or access its accounts, as well as its previous experience with identity theft.

The Red Flags Rule is meant to be flexible and provide a covered entity with the opportunity to design and implement a program that is appropriate to its size and the nature of its operations. Therefore, a large company with several types of accounts may need a complex program, while a small, low-risk business may be able to adopt a streamlined program. Regardless of the nature of a business, the programs must include five elements:

  • Identification of Red Flags. Identify relevant patterns, practices, and specific forms of activity that are red flags signaling possible identity theft. Consider the nature of the business and the type of identity theft to which it might be vulnerable.
  • Detection of Red Flags. Establish policies and procedures to detect the identified red flags.  
  • Responses to Red Flags. Include prevention, mitigation, and appropriate actions once red flags are detected.  
  • Periodic Review and Updating. Address how management will periodically re-evaluate and update, where necessary, to address new and evolving threats. This includes re-evaluation to determine whether changes in the business have caused the entity or account to fall under the purview of the Red Flags Rule.  
  • Administration of Program. The program must be approved by the Board of Directors, or if the entity does not have a board, by a senior-level manager. It must specify who is responsible for implementing and administering the program including approving necessary changes. Finally, it must include appropriate training for staff.  

The obligations of an entity to comply with the Red Flags Rule also apply even if the entity outsources parts of its operations. Therefore, the entity must specify how it will ensure and monitor compliance with the program by the external service providers.

Failure to comply with the rule can subject the covered entity to civil penalties that have now been raised to $3,500 for each knowing violation. It is likely that each covered account not protected pursuant to the rule would constitute a violation. Despite the FTC's effort to clarify the coverage of the Red Flags Rule, the continued ambiguity in the definition of "creditor" may expose many companies to the risk of civil penalties. Additionally, failure to comply with the rules may result in exposure to claims under state consumer protection laws and civil lawsuits.

It is, therefore, essential that entities correctly determine whether they fall under the definition of "financial institution" or "creditor" and if so, whether they maintain "covered accounts." Entities so designated should design and implement appropriate identity theft prevention programs. Even in the absence of legal obligation, implementing a program containing elements of the rule would help companies mitigate the risk of identity theft and reduce their overall exposure.