For the financial services industries, 2008 will bring more of the same—but on a more complicated scale and with new risks. There are new regulatory obligations, stemming primarily from the never-ending regulatory process dictated by the Fair and Accurate Credit Transactions Act (FACTA) law. In the upcoming year, financial institutions (and various others, depending on the specific details of each rule), will need to meet challenging new regulatory requirements—the FACTA affiliate marketing rule, and the three components of the FACTA "red flag" rule, relating to development of a red flag identity theft program, and various related address-discrepancy provisions.
Affiliate Marketing Rule
The affiliate marketing rule presents some new and difficult challenges. For reasons that have not been explained, this rule took far longer in development than most of the other FACTA rules. (The proposed rule was published in 2004). This rule places new limits on financial institutions in sharing certain kinds of customer information with affiliates. The result is yet another "opt-out" choice for consumers, most of whom don't understand the existing choices. (In fact, the rule makes clear that certain kinds of information sharing now may be subject to two different opt-out obligations.) By late 2008, financial institutions will need to develop privacy notices and opt-out mechanisms that address (1) sharing of personal information with nonaffiliated third parties for marketing purposes; (2) sharing of certain information with affiliates; and (3) use by affiliates of certain information for marketing purposes. Each of these opt-out choices applies to slightly different sets of customer information and/or slightly different purposes. In addition, the affiliate sharing rule requires a detailed parsing of the Fair Credit Reporting Act to determine what kinds of customer information will be considered "eligibility information," the trigger point for an opt-out possibility.
"Red Flag" Rule
Beyond the affiliate sharing rule, the "red flag" rule requires compliance with three distinct provisions, each with a different set of covered entities. The first component of the rule regulates the "duties of users regarding address discrepancies." As a general matter, this provision requires "users of consumer reports" to "develop and implement reasonable policies and procedures designed to enable the user to form a reasonable belief that a consumer report relates to the consumer about whom it has requested the report, when the user receives a notice of address discrepancy."
The second component of the rule—which has generated the largest amount of attention—involves a company's duties (in certain limited situations) regarding the detection, prevention and mitigation of identity theft. This portion of the rule requires development of an "Identity Theft Prevention Program" that is "designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account." To be compliant, the program must include "reasonable policies and procedures" to:
- Identify relevant Red Flags (meaning "a pattern, practice or specific activity that indicates the possible existence of identity theft") for the covered accounts that the financial institution or creditor offers or maintains;
- Detect Red Flags that have been incorporated into the program of the financial institution or creditor;
- Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and
- Ensure the program is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor as to identity theft.
The scope of this provision is more complicated—it applies to certain kinds of "covered accounts," but only for "financial institutions" as defined by the Fair Credit Reporting Act. So, the first challenge for any financial services company will be to figure out if it needs to meet these compliance requirements. If so, the "red flag" program will require significant implementation work.
The third component of the rule applies to the "duties of card users regarding changes of address." Somewhat similar to the "address discrepancy" provision, this portion of the rule requires a "card issuer" to "establish and implement reasonable policies and procedures to assess the validity of a change of address if it receives notification of a change of address for a consumer's debit or credit card account and, within a short period of time afterwards . . . the card issuer receives a request for an additional or replacement card for the same account." Again, like the "red flag" program, this rule requires a detailed assessment of applicability— only certain financial institutions that are "card issuers" will be covered.
Overall, 2008 will present some significant regulatory compliance challenges for financial institutions. On top of these regulatory obligations, financial institutions face continuing exposure from security breaches, along with some new obligations under state law and enhanced threats of breach litigation. Efforts to attack financial institution databases are growing, in quantity and sophistication. In addition, the efforts to impose specific obligations related to security breaches, the risks that class action lawsuits will finally get over the "no damages" hurdle and the likelihood of increased audits and examinations of security practices all point to the need to maintain a security program that can keep pace with almost constant developments. Security officers, privacy officers, lawyers and compliance staff all will need to be involved in staying on top of these critical issues.