The Red Flags Rule (the “Rule”) was designed to prevent identity theft. The Rule applies to all financial institutions and “Creditors.” The term “Creditor” was initially defined under the Rule to include any business or entity that regularly sold or arranged to sell goods or services on open account where the purchaser could make deferred payments for those goods or services. However, accepting credit card payments does not make a business a Creditor under the Rule.
Under the Red Flag Program Clarification Act of 2010 (the “Act”), the definition of “Creditor” was revised to include any business or entity that regularly and in the ordinary course of business: (1) obtains or uses consumer reports or provides information to consumer reporting agencies in connection with its credit transactions; or (2) advances funds to a person or entity in exchange for either that person’s or entity’s obligation to repay those funds or a pledge of specific property to provide for repayment. The Act also specifically excludes from the definition of “Creditor” a business or entity “that advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person[.]” This exclusion presumably excludes some service providers, such as attorneys, accountants, and health care providers, from the definition of Creditor. As of April 26, 2011, the FTC has not revised the guidance posted on its website to incorporate the Act’s revised definition of a Creditor, but the FTC has indicated that it is in the process of making those revisions.
Once a business determines that it is a financial institution or Creditor, it must evaluate its customer accounts to determine if it has “Covered Accounts.” There are two types of Covered Accounts. The first is a “consumer account”, which is an account primarily for personal, family, or household purposes and that involves or is designed to permit multiple payments or transactions. Examples of consumer accounts include mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, savings accounts, and credit card accounts of a credit card issuer. The second type of Covered Account includes any other account for which there is a reasonably foreseeable risk to the customer of identity theft or to the safety and soundness of the financial institution or Creditor in the event of such identity theft. These risks include financial, operational, compliance, reputation or litigation risks. This second type of Covered Account applies to accounts that may be particularly vulnerable to identity theft, such as small business accounts, sole proprietorship accounts, and single transaction consumer accounts.
In determining whether a financial institution or Creditor has the second type of Covered Account, the business manager should consider the methods that the business uses to open its customer accounts; the methods that the business uses to access the accounts (such as remote access by internet or telephone, which can be done by persons other than the account holder); and the business’ previous experience with identity theft.
If a financial institution or Creditor does not offer or maintain either type of Covered Account, then it need not implement an “Identity Theft Prevention Program.” Nevertheless, it still must periodically reassess its customer accounts to determine whether it then offers or maintains Covered Accounts.
If a financial institution or Creditor does offer or maintain Covered Accounts, it must develop and implement a written Identity Theft Prevention Program (“Program”) to detect, prevent and mitigate identity theft with respect to the Covered Accounts. The complexity of the Program will depend, in part, on the nature and scope of the financial institution’s or Creditor’s business. However, regardless of complexity, the initial program must be approved by the board of directors, a committee of the board or, if the business does not have a board of directors, someone in senior management. The Program should also include preparation of annual reports to evaluate, among other things, the effectiveness of the Program.
The FTC has detailed information posted on its website about the Red Flags Rule and Identity Theft Prevention Programs. That information is available at http://business.ftc.gov/privacy-and-security/red-flags-rule, and includes “A How-to Guide for Businesses,” which is available at http://business.ftc.gov/documents/bus23-fighting-fraud-red-flags-rule-how-guide-business, and a “Do-It-Yourself Template for Businesses at Low Risk for Identity Theft,” which is available at http://www.ftc.gov/bcp/edu/microsites/redflagsrule/diy-template.shtm. For those financial institutions and Creditors whose Covered Accounts and operations provide relatively little risk of identity theft, the above-mentioned guide and template might be all that is needed to create an adequate Program. For those financial institutions and Creditors whose Covered Accounts and operations involve higher levels of risk of or from identity theft, a more comprehensive Program is required.