On Jan. 1, 2008, new rules aimed at preventing and combating identity fraud (the “Red Flag Rules”), addressing the validity of change-of-address notifications (the “Special Rules for Card Issuers”) and dealing with mistaken dissemination of credit reports due to address discrepancy (the “Address Discrepancy Rules”) became effective. These new rules implement Secs. 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003 (the “FACT Act”), which added new sections to the Fair Credit Reporting Agency (“FCRA”). The rules were proposed by the federal banking regulatory agencies, the National Credit Union Administration (“NCUA”) and the Federal Trade Commission (“FTC”), (collectively, the “Agencies”).1 By Nov. 1, 2008, covered institutions must adopt a program to address these new rules.
In this Alert, we briefly set forth the requirements of the Red Flag Rules, the Special Rules for Card Issuers and the Address Discrepancy Rules and also explain who must comply with these new regulatory mandates.
The Red Flag Rules
The Red Flag Rules are designed to protect consumers from some of the most common types of identity fraud. As a general matter, the Red Flag Rules set forth the requirement that financial institutions and creditors (as defined below) must develop and implement a written and board-approved Identity Theft Prevention Program that is designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The rules apply to certain banks, financial institutions and a wide variety of other entities, including, at least in certain instances, broker-dealers.
The Special Rules for Card Issuers
The Special Rules for Card Issuers are designed to address the validity of change-of-address notifications. As a general matter, the rules set forth the requirement that issuers of debit and credit cards must establish and implement reasonable policies and procedures to assess the validity of an address change when a card issuer receives a request for an additional or replacement card within a short period of time after receiving a notification of an address change for the same account. The rules apply to issuers of credit and debit cards.
The Address Discrepancy Rules
The Address Discrepancy Rules are intended to prevent a credit report user from receiving a report from a consumer reporting agency for an individual other than the one about whom the report was requested. As a general matter, the rules require users of consumer reports (including credit reports) to develop and implement reasonable policies and procedures designed to enable the user to form a reasonable belief that a consumer report relates to the consumer about whom it has requested the report, when the user receives a notice of address discrepancy. The rules apply to users of consumer reports, including, where applicable, banks and broker-dealers.
A. The Red Flag Rules
To understand who is covered by the Red Flag Rules, the following definitions are relevant:
- A financial institution is defined as “a State or National bank, a State or Federal savings and loan association, a mutual savings bank, a State or Federal credit union, or any other person that, directly or indirectly, holds a transaction account (as defined in section 19(b) of the Federal Reserve Act) belonging to a consumer.”
- A transaction account, in turn, is defined as “a deposit or account on which the depositor or account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the purpose of making payments or transfers to third persons or others.”
- A creditor is defined as “any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit,” which would include “lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies.”
- A covered account is defined as “an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions,” which would include “a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account.” A covered account is also an account “for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.”
- An account is defined as “a continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes,” which would include “[a]n extension of credit, such as the purchase of property or services involving a deferred payment; and [a] deposit account.”
2. Banks and Broker-Dealers
Generally, banks will need to comply with the Red Flag Rules implemented by their applicable regulator. With respect to broker-dealers, although the Red Flag Rules issued by the Federal banking agencies and NCUA specifically exempt broker-dealers from the scope of the rules, the Red Flag Rules promulgated by the FTC do not provide for such an express exemption. Rather, the scope of the FTC’s Red Flag Rules includes financial institutions and creditors that are subject to administrative enforcement of the FCRA by the FTC, which, in this case, would include broker-dealers.2
Moreover, the Agencies’ Red Flag Rules include a “margin account” within the definition of a “covered account.” The rules also define a “covered account” as including any other accounts for which there is a foreseeable risk of identity theft (e.g., a covered account could include a sole proprietorship or business). Thus, the rules would apply to a broker-dealer to the extent that it is acting as a creditor (as defined above), particularly with respect to the margin accounts which it offers to individual customers, as well as any other accounts for which there is a foreseeable risk of identity theft.3
Therefore, banks and broker-dealers, as well as other financial institutions that act as creditors, should take steps to ensure that they have appropriate programs in place by Nov. 1, 2008.
3. Identity Theft Prevention Program
The new regulations aimed at implementing the Red Flag Rules direct each entity covered by the regulations to develop and implement a written Identity Theft Prevention Program (the “Program”) that is designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account or any existing covered account. Each covered entity must craft a Program that is appropriate to its size and complexity and the nature and scope of its activities. Although the rules do not mandate a one-size-fits-all approach, covered entities must include the following in their Programs:
- Each entity must identify relevant types of Red Flags for its covered accounts, and incorporate those Red Flags into its Program.
- Each entity must develop policies and procedures to detect these identified Red Flags.
- Each entity must prevent and mitigate identity theft by responding appropriately to any Red Flags that are detected.
- Each entity must ensure its Program is updated periodically, to reflect new developments and changes in the risk environment relating to identity theft.
An appendix to the rules sets out more detailed guidelines that are meant to assist covered entities in crafting and updating their own Programs with respect to new and existing accounts. For example, a Program must take into account the different types of covered accounts, the methods used to open and to access these different types of accounts (e.g., Internet-based accounts), and also draw on the covered entity’s previous experiences with identity theft. The Program should be aimed at detecting a variety of types of Red Flags, including Red Flags learned from past incidents of identity theft at the covered entity; known methods of identity theft that a covered entity has identified that reflect changes in identity theft risks; and supervisory guidance offered by regulators in the future.
Moreover, the regulations state that the covered entity should consider incorporating into its Program five specific categories of “red flags”:
- Alerts, notifications or warnings received from consumer reporting agencies or service providers, such as fraud detection services
- The presentation of suspicious documents
- The presentation of suspicious personal identifying information, such as a suspicious address change
- The unusual use of, or suspicious activity related to, the covered account, such as a covered account that is used in a manner that is not consistent with established patterns of activity on the account
- Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding potential identity theft in connection with covered accounts A supplement to the appendix to the rules sets out examples of Red Flags from each of the five categories referenced above, which a covered entity should consider, and as appropriate, incorporate into its Program.
The detection of these Red Flags may be accomplished by a covered entity’s request for identifying information about, and its verification of the identity of, any person opening a covered account. In connection with any existing covered accounts, Red Flags may be detected through a covered entity’s authentication of its customers, monitoring of customer transactions, and verification of the validity of customer requests for address changes.
The rules also provide that a covered entity must include reasonable policies and procedures to respond appropriately to any Red Flags detected, in a manner that is commensurate with the degree of risk posed by such Red Flags, in order to prevent and mitigate identity theft. A covered entity should consider aggravating factors, such as data-security incidents that result in unauthorized access to a customer’s account record or notice that the customer has provided information related to a covered account to someone fraudulently claiming to represent the entity or to a fraudulent website, which may heighten the risk of identity theft in determining an appropriate response to the Red Flags. Appropriate responses may include:
- Monitoring a covered account for evidence of identity theft
- Contacting the customer
- Changing any passwords, security codes, or other security devices that permit access to a covered account
- Reopening a covered account with a new account number
- Not opening a new covered account
- Closing an existing covered account
- Not attempting to collect on a covered account or not selling a covered account to a debt collector
- Notifying law enforcement or
- Determining that no response is warranted under the particular circumstances
A covered entity should consider precursors to identity theft, such as “phishing” (i.e., electronic messages to customers of covered entities directing them to provide personal information in response to a fraudulent email) and security breaches (which often are a means to acquire information of another person for use in committing identity theft), in order to stop identity theft before it occurs.
A covered entity must also take measures to ensure that its Program (including the Red Flags determined to be relevant) is updated periodically to reflect changes in risks to customers and to the safety and soundness of the entity from identity theft. The factors that should be considered by a covered entity in updating its Program include its own experiences with identity theft, changes in methods of identity theft, changes in methods to detect, prevent and mitigate identity theft, changes in types of accounts that it offers or maintains, and changes in its business arrangements, including mergers, acquisitions, joint ventures and service provider arrangements.
In order to ensure that the Program is taken seriously and fully implemented, the written Program must be approved by the covered entity’s board of directors or an appropriate board committee. The covered entities must also take the following steps:
- Each covered entity must involve its board of directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development, implementation and administration of the Program. This oversight should include (i) the assigning of specific responsibility for the Program’s implementation; (ii) the responsibility for reviewing reports by staff and approving of material changes to the Program; and (iii) the reporting, at least annually, on the covered entity’s compliance with the Program.
- The covered entities need to conduct training, as necessary, to implement the Program in an effective manner.
- The covered entities need to exercise appropriate and effective oversight of service provider arrangements in order to make sure that service providers are following these rules to the extent required by law in accordance with appropriate policies and procedures.
Finally, the rules recognize that many covered entities may already be complying with aspects of these rules. In order to avoid unnecessary duplication of proceedings, a covered entity is allowed to “incorporate, as appropriate, its existing policies, procedures, and other arrangements that control reasonably foreseeable risks to customers or to the safety and soundness of the covered entity from identity theft.” For example, for banks and broker-dealers, the Program may incorporate the institution’s overall regulatory scheme of reviewing its customers, documents and transactions for possible identity theft that are required by other applicable rules and regulations, such as its procedures for complying with the Customer Identification Program (“CIP”) Rule and requirements for reporting suspicious activities pursuant to the Bank Secrecy Act, as amended by the USA PATRIOT Act of 2001. However, such policies and procedures may need to be supplemented, based on the entity’s evaluation of the adequacy of its existing policies and procedures for detecting Red Flags.
B. The Special Rules for Card Issuers
The Special Rules for Card Issuers implements Sec. 114 of the FACT Act with respect to the requirement that credit and debit card issuers assess the validity of certain change-of-address notifications. In particular, the Special Rules for Card Issuers requires that an issuer of debit and credit cards (a “card issuer”) establish and implement reasonable policies and procedures to assess the validity of a change of address if (i) the card issuer receives notification of a change of address for a consumer’s credit or debit card account and (ii) within a short period of time afterwards (during at least the first 30 days after it receives such notification), the card issuer receives a request for an additional or replacement card for the same account.
These address-change regulations apply to financial institutions and creditors, which are subject to the Agencies’ rules and issue debit or credit cards.
Apparently recognizing that these circumstances can be an indicator of possible identity fraud, the Agencies have directed that card issuers not issue an additional or replacement card until after taking certain steps to assess the validity of the change of address. In particular, the card issuer must take one of the following steps:
- It must notify the cardholder of the requested address change at the cardholder’s former address and provide to the cardholder a reasonable means of promptly reporting incorrect address changes; or
- It must notify the cardholder of the requested address change by any other means of communication that the card issuer and the cardholder have previously agreed to use, and provide the cardholder with a reasonable means of promptly reporting incorrect address changes; or
- It must otherwise assess the validity of the change of address, in accordance with the policies and procedures the card issuer has established pursuant to its Identity Theft Prevention Program.
A card issuer will have complied with these regulations if it validates an address pursuant to one of the three methods above when it receives an address change notification (and before it even receives a request for an additional or replacement card).
In order to ensure that the card issuer’s written or electronic notice does not get lost amidst a host of regular mailings to customers, the card issuer must provide this address change notification in a clear and conspicuous fashion, in which the information is reasonably understandable and designed to call attention to the nature and significance of the information presented, and separate from its regular correspondence with the cardholder.
C. The Address Discrepancy Rules
The Address Discrepancy Rules implement section 315 of the FACT Act, which requires users of consumer reports (i.e., “users”) to “develop and implement reasonable policies and procedures designed to enable the user to form a reasonable belief that a consumer report relates to the consumer about whom it has requested the report, when the user receives a notice of address discrepancy.”
The Address Discrepancy Rules are meant to make it less likely that the user of a consumer report (like a credit report) will obtain (perhaps inadvertently) the consumer report for a consumer who has not authorized the disclosure of such a report. The Address Discrepancy Rules seek to accomplish this goal by focusing the attention of consumer report users on those cases in which a consumer report is requested for an individual at one address, but the user is advised that the individual for whom a report is available resides at a substantially different address.
The Address Discrepancy Rules apply to users of consumer reports that are subject to administrative enforcement of the FCRA by the FTC. In its commentary to the rule, the Agencies specifically note that “section 315 does not apply to ‘financial institutions’ or ‘creditors’ who do not use consumer reports.”
A “notice of address discrepancy,” as defined by the Address Discrepancy Rule, is a “notice sent to a user by a consumer reporting agency pursuant to 15 U.S.C. 1681c(h)(1), that informs the user of a substantial difference between the address for the consumer that the user provided to request the consumer report and the address(es) in the agency’s file for the consumer.”
The Address Discrepancy Rules offer several examples of reasonable policies and procedures that the user of a consumer report can adopt in these circumstances:
(i) The user can compare the information in the consumer report provided by the consumer reporting agency with information the user:
(a) Obtains and uses to verify the consumer’s identity in accordance with the requirements of the CIP Rules implementing 31 U.S.C. § 5318(l) (31 CFR § 103.121);
(b) Maintains in its own records, such as applications, change of address notifications, other member account records, or retained CIP documentation; or
(c) Obtains from third-party sources.
(ii) The user can verify the information in the consumer report provided by the consumer reporting agency with the consumer.
The Address Discrepancy Rules also require that users of consumer reports “develop and implement reasonable policies and procedures for furnishing an address for the consumer that the user has reasonably confirmed is accurate to the consumer reporting agency from whom it received the notice of address discrepancy.” Specifically, the user of the report needs to:
(i) Be able to form a reasonable belief that the consumer report relates to the consumer about whom the user requested the report;
(ii) Have established a continuing relationship with the consumer; and
(iii) Regularly and in the ordinary course of business furnish information to the consumer reporting agency as part of the information it regularly furnishes for the reporting period in which it establishes a relationship with the consumer, from which the notice of address discrepancy relating to the consumer was obtained.
The user may reasonably confirm that the address is accurate by (i) verifying the address with the consumer about whom it has requested the report; (ii) reviewing its own records to verify the address of the consumer; (iii) verifying the address through third-party sources; or (iv) using other reasonable means.