On July 29, 2009, the Federal Trade Commission announced that it would suspend enforcement of the red flags rule under the Fair and Accurate Credit Transactions Act of 2003, which imposes identity theft-related requirements on “financial institutions” and other specified entities, until November 1, 2009. This is the third time the FTC has delayed implementation of the rule.
Under the red flags rule, a “financial institution” includes any institution, including an investment company, that directly or indirectly holds a transaction account belonging to a consumer, and a “transaction account” is an account in which the account holder is permitted to make withdrawals payable to third persons by check, transferable or negotiable instruments or similar items (e.g., debit cards).
The rule requires funds that hold transaction accounts to develop and obtain board approval of a written Identity Theft Prevention Program by November 1, 2009. The Program must be designed to detect, prevent and mitigate identity theft in connection with covered accounts. The Program must be able to detect patterns, practices and certain “red flag” activities that potentially signify identity theft. Specifically, the Program must include “reasonable policies and procedures” to: (1) identify red flag activities for covered accounts and incorporate any newly identified red flag activities into the Program; (2) detect red flag activities; (3) respond to red flag activities that have been detected; and (4) update the Program periodically to reflect changes in risks. For each of these items, the rule requires the financial institution to consider specific guidelines and include in its Program those guidelines that are appropriate given the size and complexity of the institution and the nature and scope of its activities.
The new rule also imposes certain requirements related to the administration of the Program, including: (1) obtaining approval of the Program by the institution’s board or a committee thereof, (2) involving the board, committee or designated senior management person in the oversight, development, implementation and administration of the Program, (3) training staff to effectively implement the Program, and (4) exercising appropriate and effective oversight of service provider arrangements.