The Federal Trade Commission (“FTC”) recently issued a revised guidance (“Guide”) on the Red Flags Rule (“Rule”) (see “Fighting Identity Theft with the Red Flags Rule: A How-To Guide for Business”). The Red Flags Rule requires certain businesses to develop, implement and administer an identity theft protection program. The purpose of this Guide is to help businesses determine whether they are subject to the Rule as a “financial institution” or “creditor” that maintains “covered accounts.” For businesses that are covered by the Rule, the Guide includes tips on establishing an identity theft prevention program that meets the Rule’s requirements.
The Guide reflects amendments to the Rule made last December, when the FTC revised the Rule to adopt the narrower definition of “creditor” that was included in the Red Flag Program Clarification Act of 2010 (see this post for additional details). The prior definition of creditor, which was originally so broad as to include virtually all businesses that accept deferred payment for goods or services, was limited to entities that grant credit or defer payment for goods and services and regularly and in the ordinary course of business:
- Obtain or use consumer reports (i.e., credit reports or other information obtained from a consumer reporting agency) in connection with a credit transaction;
- Furnish information to consumer reporting agencies in connection with a credit transaction; or
- Advance funds to or on behalf of a person, in certain cases.
To help businesses understand the type of conduct that would make them a creditor, the Guide presents a series of questions that businesses should ask, such as whether they regularly grant or arrange credit or whether they get or use consumer reports in connection with a credit transaction. The Guide also includes a series of FAQs to help answer some anticipated questions on the scope of the Rule and compliance with its requirements. For example, the FAQs help clarify that, for purposes of the Rule, “advancing funds” means making a loan or providing financing, but does not include deferring the payment of debt or the purchase of goods and services alone. The FAQs also explain that even a business that does not use credit reports directly—such as a company that contracts with a third party to pull consumers’ reports and evaluate their creditworthiness—is considered to be using credit reports regularly and in the ordinary course of business.
If a business has established that it is a financial institution or creditor, the next step is to determine whether the business’s accounts fall into one of two categories of “covered accounts”: (1) a consumer account that involves or allows multiple payments and transactions, and (2) any other account with a “reasonably foreseeable” risk of identity theft. The Guide includes tips on making this determination.
Finally, for businesses that are financial institutions or creditors that maintain covered accounts, the Guide concludes with a four-step process for complying with the Rule. First, there must be a written identity theft prevention program with reasonable policies and procedures in place to identity suspicious patterns or practices indicating the possibility of identity theft. Second, procedures must be in place to detect these patterns and practices as red flags for identity theft. Third, the program should spell out appropriate actions that need to be taken when a red flag is detected. And finally, the program must detail how it will be kept current to deal with new and emerging threats.
There is a fair amount of flexibility in the Rule, as indicated by this new Guide. Although the Rule has requirements on how to incorporate an identity theft protection program into the daily operations of a business, it allows flexibility in designing a program suited to the needs of a particular business, understanding that some business might require more complexity than others.
In all, the revised Guide provides a useful resource for businesses looking to determine whether they are subject to the Rule and/or to develop an identity theft protection program that meets the Rule’s requirements.