On July 29, 2009, the Federal Trade Commission (FTC) announced that it will delay enforcement of its identity theft “Red Flags Rule”1 until November 1, 2009. This is the third time the FTC has delayed the enforcement date of the Red Flags Rule and each time the rationale has been largely the same – concern that some companies were “uncertain” or “not aware” that they were subject to the Rule (the prior delayed enforcement dates were May 1, 2009 and August 1, 2009). The latest announcement was accompanied by further FTC commitments to educate businesses about compliance with the Red Flags Rule. Given the confusion surrounding the Rule and its broad scope, companies that have not yet done so should carefully assess whether the Red Flags Rule applies to them and if so, develop an appropriate program.
Compliance with Red Flags Rule
The Red Flags Rule, enacted pursuant to sections 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACTA),2 requires covered entities to develop a written program consisting of policies and procedures to identify, detect, respond to, and periodically evaluate “red flags” indicative of identity theft. Entities covered by the Red Flags Rule include “financial institutions” and “creditors” that hold consumer, transaction, or other “covered accounts” (see below). The rule requires such entities to develop an “Identity Theft Prevention Program” that enables the entity to:
- Identity relevant “red flags” (patterns, practices, and specific activities that signal possible
- identity theft) and incorporate those red flags into the program;
- Detect the red flags that have been incorporated into the program;
- Respond appropriately to detected red flags to prevent and mitigate identity theft; and
- Ensure the program is updated periodically to reflect changes in risks.
The Red Flags Rule provides for a flexible, risk-based approach in developing an identity theft program. A business can tailor its programs to account for its size and complexity and the nature and scope of its activities as well as the risks of identity theft that may be present. The written program must be approved by the entity’s board of directors or appropriate committee of the board. If a business does not have a board of directors, a senior manager must approve it. For all businesses, senior management must be involved in the oversight, development, implementation, and administration of the program.
Application of Red Flags Rule
There has been a great deal of confusion regarding the scope of the Red Flags Rule because many businesses that are not generally accustomed to FTC jurisdiction are subject to the Rule, including businesses that do not realize they are creditors as defined by the Rule.3 Under the FTC’s approach, a creditor is any entity that defers payment for goods or services. According to the FTC, this includes businesses that have monthly billing arrangements with customers where goods or services are provided and payment is made in arrears, even without finance charges or an installment agreement. Essentially, the FTC deems any business that allows a customer to “run a tab” to be a creditor even where payments are made in full in the following month. Accordingly, covered entities may include many entities such as lawyers, doctors and other health care providers, certain retailers, and other service providers including utility companies, telecommunications companies, auto dealers, mortgage brokers, and finance companies. Businesses that extend credit to other businesses are also creditors under the Rule.
The Rule also encompasses financial institutions that hold consumer transaction accounts, i.e., accounts from which consumers can make payments or transfers to third parties, such as a mutual fund with check-writing privileges.4 Notably, the Rule extends to non-profit organizations and government entities as well as for-profit businesses. Although many covered entities are small businesses with a low risk of identity theft, such entities must still implement a written program under the Rule. The FTC has estimated that there are more than 1.5 million low-risk entities that will be required to implement a program.5
Once an entity determines it is a creditor or financial institution, it then must assess whether it holds “covered accounts.” Such accounts include those used primarily for personal, family, or household purposes that permit multiple payments or transactions (a personal credit card is a primary example).6 Significantly, covered accounts also includes any “other account” held by a covered entity for which there is a foreseeable risk of identity theft to a customer or where identity theft would affect the safety or soundness of the business, including through financial, operational, compliance, reputational, or litigation risks. According to the FTC, these other accounts include small business accounts or sole proprietorship accounts that are vulnerable to identity theft as well as “single transaction consumer account[s],” i.e., non-credit accounts.7 Therefore, covered entities should still include both non-credit accounts (in the case of covered creditors) and non-transaction accounts (in the case of covered financial institutions) within the scope of their Identity Theft Prevention Program.
Many covered entities may already have some policies and procedures in place, whether formal or informal, to detect fraud and identity theft that predate the Red Flags Rule. It is important, however, for all covered entities to assess and implement, where appropriate, a formal Identity Theft Prevention Program with all the elements required under the Rule (such as board or senior management approval).
FTC Guidance on Red Flags Rule
In addition to delaying enforcement, the FTC also has been engaged in efforts to educate businesses about the Red Flags Rule. The FTC has created a website with frequently asked questions about the rule, and has created a how-to guide for businesses in an effort to help clarify who is covered and what is expected. The FTC has also created a do-it-yourself identity theft prevention program for small or low-risk entities that provides a compliance template that walks these entities through the process.
In its latest announcement, the FTC said that it intends to engage in an “expanded business education campaign” in which the staff will “redouble its efforts to educate [businesses] about compliance.” Such a campaign is designed to “clarify whether businesses are covered by the Rule and what they must do to comply.”8 As part of this effort, the FTC intends to put a separate link on its website with resources for small and low-risk entities. It is important that businesses carefully assess whether they are creditors or financial institutions holding covered accounts and, if so, it is important to assess the level of risk from identity theft to such accounts. The greater the risks the more detailed an identity theft prevention program must be.
Future of Red Flags Rule
There has been significant criticism of the Rule from various quarters. Both the American Medical Association and the American Bar Association (and some state bars) have opposed application of the Red Flags Rule to health care facilities and law firms, respectively, and it is possible litigation to clarify the application of the Rule may ensue. Groups have also been lobbying Congress to amend the FACTA Red Flags Rule requirements. After initial enactment of the Rule, a bill to exclude health care practices with 20 or fewer employees from Red Flags enforcement was introduced in the U.S. House of Representatives. In addition, prior to this latest extension of the enforcement date, the House Appropriations Committee requested that the FTC defer enforcement in conjunction with additional efforts to minimize the burdens of the Rule on health care providers and small businesses with a low risk of identity theft problems. The FTC’s latest delay was in part due to that request.
Despite these repeated delays, the FTC has indicated it intends to proceed with enforcing the Rule as of November 1, 2009. While there is continued criticism and pressure for change, we do not recommend businesses anticipate further delays. Companies should determine whether they are a financial institution and/or creditor subject to the Red Flags Rule, and if so, whether they have any covered accounts. Companies that determine they are a financial institution or creditor with covered accounts should prepare an Identity Theft Prevention Program and receive board (or senior management) approval for the program prior to November 1, 2009.