On October 22, 2008, the Federal Trade Commission (FTC) took a fairly unusual step in delaying the enforcement of its Identity Theft Red Flags Rule, (16 CFR 681.2) for six months. The rule became effective on January 1, 2008, but full compliance with the rule was scheduled to go into effect on November 1, 2008, a year after it was introduced.
Background on Red Flags Rule
The Red Flags Rule was issued pursuant to sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act);1 its primary requirement is for financial institutions and creditors holding consumer or other covered accounts to develop and implement an Identity Theft Prevention Program in connection with both new and existing accounts. The definition of creditor is drawn from the Equal Credit Opportunity Act2 and includes anyone who defers payment for services rendered, such as the typical phone bill that bills at the end of the month for the services rendered in the previous month.
The rule specifies that creditors holding covered accounts must develop an Identity Theft Prevention Program that includes reasonable policies and procedures for detecting or mitigating identity theft and enabling a creditor to:
- identify relevant “red flags” (patterns, practices, and specific activities that signal possible identity theft) and incorporate those red flags into the program;
- detect the red flags that have been incorporated into the program;
- respond appropriately to detected red flags to prevent and mitigate identity theft; and
- ensure the program is updated periodically to reflect changes in risks.
Creditors will need their board of directors (or appropriate committee therein) or senior management to approve the initial written program.
Scope of Application of Rule
There has been a great deal of confusion regarding the scope of the Red Flags Rule, given that several industries that are not generally accustomed to FTC jurisdiction – including “finance companies, automobile dealers, mortgage brokers, utility companies, telecommunications companies, and non-profit and government entities that defer payment for goods or services” 3 are subject to the Red Flags Rule given that they would be considered creditors. Furthermore, although many companies and institutions subject to the rule likely have policies and procedures in place that do detect fraud, including identity theft, prior to the issuance of the Red Flags Rule in 2007, no company had an “Identity Theft Prevention Program” with all the elements required under the Red Flags Rule (including board approval). The FTC has been participating in outreach programs to inform industries about the pending regulations, and their application to consumer data collection policies and procedures. Nonetheless, full compliance may not have been widespread, therefore the FTC determined that, in its prosecutorial discretion, it would forbear from bringing enforcement actions of this portion of the Red Flags Rule for six months to allow companies to get into compliance. It should be noted that this delay in enforcement does not suspend the compliance date, which is still November 1, 2008; furthermore the enforcement delay does not extend:
- to the associated rule regarding address discrepancies applicable to users of consumer reports (16 CFR 681.1);
- to the rule regarding changes of address applicable to card issuers (16 CFR 681.3); or
- to financial institutions subject to the jurisdiction of the federal banking agencies (e.g., the Federal Deposit Insurance Corporation, Federal Reserve Board, National Credit Union Administration, Office of the Comptroller of the Currency, and the Office of Thrift Supervision).
Companies should analyze their procedures to determine whether they are a financial institution and/or a creditor under the Identity Theft Red Flags Rule. If you determine you are either a financial institution or creditor, you should prepare an Identity Theft Prevention Program and receive board approval prior to May 1, 2009.