Although the "Red Flags Rule" has been in effect since January 1, 2008, creditors regulated by the Federal Trade Commission were granted a six-month reprieve from complying with the Rule's initial compliance deadline of November 2008. This reprieve ends on May 1, 2009. As such, this Alert reminds those creditors who have not yet created an identity theft prevention program what they need to do prior to the deadline to get into compliance.
I. What is the Red Flags Rule?
Simply, the Rule refers to the requirement that creditors create and maintain an identity theft prevention program. The program must identify the "red flags" or warning signs for identity theft appropriate for the creditor as well as the steps that the creditor needs to take to prevent identity theft and to mitigate any damage that identity theft may inflict.
II. Who is Covered?
Determining whether you are covered by the Red Flags Rule requires a two step process. First, you need to determine whether you are "creditor" subject to the regulation. Second, assuming that you are a creditor, you need to determine whether you have a "covered account."
- Creditor. A creditor is broadly defined and includes a person that extends debt as well as any retail seller that regularly defers payments for goods or services or provides goods and services and bills customers later. Thus, any installment lender or retail seller that permits customers to pay for goods in installments constitutes a "creditor" for purposes of the Rule.
- "Covered" Account. An account can constitute a "covered" account in one of two ways. First, the account may be a consumer account offered primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions. Examples of this type of account include checking accounts or cell phone or utility accounts. Second, the account can be one that the creditor offers or maintains for which there is a reasonably foreseeable risk to its customers or to the safety and soundness of the creditor from identity theft. Coverage under this latter category is more subjective, and thus, harder to determine. Accounts that can be accessed via the Internet or by telephone may fall into this category.
III. What Must an Identity Theft Prevention Program Contain?
Once you determine that you are covered by the Rule, you must follow these four steps to comply with the Rule:
1. Identify Relevant Red Flags.
Companies need to consider red flags in the context of their businesses – so not every company will identify the same red flags. Some common red flags, however, include – fraud alerts in credit reports, notices of credit freezes, identification that appears altered or forged, a forged or altered application, use of a Social Security Number that was used by another person or use of an account that had been inactive. The Federal Trade Commission has published an illustrative list of red flags that companies should use as a starting point for identifying those red flags appropriate for their business.
2. Detect Red Flags.
Once a company identifies those red flags that are appropriate for its business, the company must then set forth procedures for detecting the red flags in its day-today operations. These procedures may vary depending on whether the company is verifying a consumer's identity over the phone, in person or over the Internet. For on-line verifications, companies should consider using the Federal Financial Institutions Examination Council's guidance on authentication. Procedures also will vary depending on whether the customer is opening a new account, or if the company is monitoring an existing account.
3. Prevent and Mitigate Identity Theft.
In those instances when a company identifies a red flag, the circumstances surrounding that red flag will determine the company's response. Said differently, an appropriate response could be as simple as monitoring the account or as drastic as notifying law enforcement - depending on the nature of the red flag observed. In any event, the magnitude of the response should be proportional to the risk to the consumer and to the company.
4. Update Your Program.
Just as technology is constantly changing - so should a company's program. Thus, a company must periodically update its program to reflect any changes in technology or new risks for identity theft. An update in a program also may be warranted for a change in the company itself – via a merger or acquisition.
IV. How Do I Set Up A Program?
If your company has a board of directors, then the board must approve the company's initial written program. The board may also oversee, develop, implement and administer the program - or task a senior employee with those duties. If your company does not have a board, then a senior manager must approve of the program. Any staff that implements the program on a day-to-day basis should be trained as needed. This means that if your staff has already undergone fraud training, the staff may not need additional training. The company should receive annual reports on the program – in terms of utility, application to third party service providers and improvements or changes needed in the future. These reports also should identify any significant incidents that may involve identity theft.
V. What Happens If I Do Not Establish A Program?
Failure to establish a program by May 1 could open you up to administrative penalties of $3,500 per violation. There is no private right of action and no criminal penalties.