The Identity Theft Red Flags Rule (the “Rule”), 16 C.F.R. Part 681.2, was developed by the Federal Trade Commission pursuant to the Fair and Accurate Credit Transactions Act of 2003. Under the Rule, financial institutions and creditors with covered accounts must have identity theft prevention programs to identify, detect and respond to patterns, practices or specific activities that could indicate identity theft.
While many associations meet the Rule’s definition of a “creditor” because they accept payments over time for good/services provided, such as membership dues, publications, events, etc., many of these associations will not meet the Rule's second prong for coverage, which is having a “covered account.”
An account is “covered” under the Rule if it is for personal/household use. If not, the account can still be “covered” if there is a reasonably foreseeable risk of identity theft to either the account holder or the association, based on past experience in the opening, accessing or transactional use associated with the account.
Therefore, it is crucial to first conduct a risk assessment to see whether or not the association’s risk of identity theft regarding customer accounts (including those of both members and non-members, whether corporate or individual) is reasonably foreseeable; if not, then the association does not have “covered accounts” and is not within the scope of the Rule. In that case, the association should keep a copy of this written risk assessment on file, and update the risk assessment at least annually, as evidence of Rule non-coverage.
If, on the other hand, the risk assessment indicates a reasonably foreseeable risk of ID theft and hence Rule coverage, then the association's Identity Theft Prevention/Red Flag Program must also include a written Policy and Procedures.
Number of Customers, during the period from 1/1/XX to date: ______________
Number of Customer Transactions, from 1/1/XX to date: __________________
[Appropriate time frame for risk assessment: past 3-5 years preferable, past 2 years minimum. Customers includes both members and non-members, whether corporate or individual]
Risk Assessment Key
A=Access (view balance; change personal information; change payment method)
T=Can conduct transactions (make a payment; transfer funds; obtain products)
“Experience” indicates whether association has had previous experiences with identity theft with respect to each specific type of account.
Risk ratings* are “High” (H), “Moderate” (M), and “Low” (L).
*Explanation for risk ratings: Risk ratings are based on the association’s size in terms of customers and annual transactions, the number of individuals authorized to access each customer's account, and the association's existing policies and procedures (such as Internet security, account oversight, account agreements, etc.). The risk also depends on the types of products/services normally sold to each customer, the accessibility of the customer account, the association’s experience with identity theft, and how susceptible the offered products and services are to fraudulent activity.
MODEL ASSESSMENT OF ASSOCIATION’S ACCOUNTS/SERVICES, METHODS FOR OPENING ACCOUNTS, METHODS FOR ACCESSING ACCOUNTS
[Association] allows customers to open and access accounts and conduct transactions in-person, by mail, by telephone, and online [please modify and change accordingly, both here and on following charts, to eliminate any irrelevant charts or portions thereof]. The risk of identity theft relating to the type of account, and the means of opening and accessing accounts and conducting transactions, are assessed below:
MODEL ASSESSMENT OF ASSOCIATION'S PRIOR EXPERIENCES WITH INFORMATION SECURITY BREACHES AND/OR IDENTITY THEFT CONCERNING CUSTOMER ACCOUNTS
[Association] had [number] data security breach[es] in XXXX, 200X [if true, and modify number and response accordingly]. No customer account information was accessed, and no customer accounts were accessed. In response to this breach, [Association] ______________________ [e.g., monitored accounts for a period of X months and instituted additional identification checks for accessing customer accounts to conduct transactions].
To date, [Association] is aware of [number] occurrence[s] of identity theft, concerning unauthorized access to our customer accounts, either in account opening, account access, or transactions conducted. In response to these occurrences, [Association] ______________ [issued a full credit to each affected customer, and instituted additional identification checks for accessing customer accounts to conduct transactions]. [if true, and modify number and response accordingly].
[Association] maintains all regulatory alerts and business guidance on the Identity Theft Red Flags Rule (16 C.F.R. Part 681) (the “Rule”) issued by the Federal Trade Commission (“FTC”). Based on the above risk assessment and all applicable FTC alerts and business guidance, [Association] assesses the risk to its customer accounts from identity theft to be low. Because these are accounts for which there is not a foreseeable risk of identity theft, these accounts are not “covered accounts” within the meaning of the Rule.
[Note: In determining the association's risk regarding prior experiences with information security breaches and/or identity theft, you should include a description of any past experiences, including the steps taken by the association to prevent any further experiences. Also include other factors such as regulatory actions/findings; legal actions; insurance coverage; and/or independent analysis of any third-party vendors.]
While [Association] is a “creditor” within the meaning of the Rule, its customer accounts are not “covered accounts” under the Rule. Based on the above risk assessment, [Association] determines its overall risk regarding identity theft to be low. Because [Association] does not offer accounts for personal or household purposes, and because its customer accounts have experienced exceedingly few occurrences of identity theft, when viewed in relation to either the total number of accounts or the total number of annual transactions, these accounts do not face a foreseeable risk of identity theft. Therefore, they are not “covered accounts” within the meaning of the Rule.
Because [Association]'s customer accounts do not fall within the scope of the Rule, [Association] is not required to establish any specific Policies or Procedures in order to comply with the Rule. [Association] will conduct a similar Risk Assessment annually, in order to determine whether any changes in identity theft threats have caused its accounts to be considered “covered accounts” under the Rule, and thus to require enactment of such Policies or Procedures.
[Note: The risk assessment should reach an overall conclusion as to the association's risk regarding identity theft. If that overall risk assessment is medium or high, the association may conclude that such risk is "reasonably foreseeable" and therefore proceed to enact the Policies/Procedures required by the Rule.]