The Federal Trade Commission (“FTC”) has issued business guidance to assist entities covered by the Identity Theft Red Flags Rule (the “Red Flags Rule”) design and implement identity theft prevention programs. The Red Flags Rule requires “financial institutions” and “creditors” to develop written programs to identify the warning signs of ID theft, spot them when they occur, and take appropriate steps to respond to those warning “red flags.”
“Fighting Fraud with the Red Flags Rule: A How-To Guide for Business” is available at: www.ftc.gov/redflagsrule. The business guidance describes the entities that are covered by the Red Flags Rule and provides information to help them develop identity theft prevention programs. Although the Red Flags Rule became effective on November 1, 2008, for entities under the FTC’s jurisdiction, the FTC has delayed enforcement of the Rule until May 1, 2009.
The Red Flags Rule covers financial institutions and creditors (“covered entities”). The Red Flags Rule defines a “financial institution” to include institutions under the jurisdiction of the federal bank regulatory agencies and/or the National Credit Union Administration, and any other person, that directly or indirectly, holds a transaction account belonging to a consumer. FTC guidance provides examples of financial institutions under the FTC’s jurisdiction, including state-chartered credit unions, mutual funds that offer accounts with check-writing privileges, or other institutions that offer accounts where the consumer can make payments or transfers to third parties. “Creditors” are defined as businesses or organizations that regularly defer payment for goods or services or provide goods or services and bill customers later. Covered entities must conduct a risk assessment to determine if they have “covered accounts,” which include consumer-type accounts or other accounts for which there is a reasonable risk of identity theft.
Even if your organization is not required to have an ITPP, you at least may have to do a risk assessment to decide if the “credit” arrangements you enter into with your customers, vendors, advertisers, purchasers, and others present a reasonably foreseeable risk of identity theft (“ID theft”), which the Red Flags Rule defines as a fraud committed or attempted using the identifying information of another person without authority. “Red Flags” means a pattern, practice or specific activity that indicates the possible existence of ID theft.
Even a low-risk covered entity needs to have a written ITPP that is approved either by its Board of Directors or an appropriate senior employee. Since risks change, there is an obligation to assess the ITPP periodically to keep it current. Likewise, because business models and services change, organizations should periodically assess whether or not they are a covered entity subject to the Red Flags Rule.
The FTC and the federal financial regulatory agencies developed the Red Flags Rule under the Fair and Accurate Credit Transactions Act of 2003 (the “FACT Act”). The Red Flags Rule is designed to reduce the overall incidence and impact of identity theft.
Many organizations will be considered “financial institutions” or “creditors” under the Red Flags Rule, and many of these organizations will have “covered accounts” as defined by the Red Flags Rule. It is crucial that all organizations coming within the Red Flags Rule coverage have an ITPP in place no later than May 1, 2009. Given the risk-based nature of the Red Flags Rule’s requirements, the requirements are flexible and may be tailored to the degree of identity theft risk faced by the particular company and activity.