FACTA appears to apply the Red Flag Rules to any business that allows a consumer to pay for property or services after the property is conveyed or the services are rendered.
Many will recall the recent wave of class action lawsuits aimed at the widespread failure of U.S. retailers to comply with the credit card redaction provisions of the Fair and Accurate Credit Transactions Act (FACTA). FACTA has returned, poised to cause a new generation of challenges for businesses with regulations that are commonly known as “Red Flag Rules.”
The Red Flag Rules Require Identity Theft Programs
The purpose of the Red Flag Rules is to require businesses to establish procedures to detect identity theft and minimize the damage that identity theft causes. The Red Flag Rules, issued jointly by the Federal Trade Commission (FTC), U.S. Department of the Treasury, Federal Reserve System, Federal Deposit Insurance System and National Credit Union Administration, require organizations that maintain “covered accounts” to implement a written identity theft prevention program by May 1, 2009.
FACTA appears to apply the Red Flag Rules to any business that allows a consumer to pay for property or services after the property is conveyed or the services are rendered. In addition to financial institutions, such as banks and savings and loan associations, FACTA applies to any entity that regularly extends, renews or continues credit. (Credit is defined as the right granted by a creditor to a debtor to purchase property or services and defer payment for such purposes.)
Challenges Organizations Face in Compliance
Organizations that are subject to these rules should be aware of at least three practical challenges when endeavoring to comply.
First, the Red Flag Rules are complex (as a result of guidelines developed by the FTC), involving approximately 26 separate requirements that may or may not apply to different business lines.
Second, the range of businesses subject to these rules is expansive. As mentioned above, FACTA applies not only to financial institutions and businesses traditionally regulated by the FTC, but also to “creditors” such as utilities, finance companies, mortgage companies, telecommunication companies, any retailers with credit sales, and even physicians and hospitals with patient accounts.
Third, the enforcement policy is already in place, and the official deadline for compliance is May 1, 2009. This means that the plaintiffs’ class action bar is geared up for another round of FACTA lawsuits against businesses that ignore or misapply the Red Flag Rules.
Requirements of the Red Flag Rules
There are two components to the Red Flag Rules: the implementation of a written identity theft program, and policies and procedures to respond to address discrepancies contained in consumer reports.
Identity Theft Program
The Red Flag Rules require creditors that maintain “covered accounts” to establish a written identity theft prevention program containing policies and procedures that are designed to identify patterns, practices or activities that indicate possible identity theft (Red Flags) that are relevant to the creditor’s activities; incorporate Red Flags into the creditor’s program; detect Red Flags recurring in the creditor’s program; respond appropriately to Red Flags to prevent and mitigate identity theft; and ensure that the policies and procedures are updated periodically.
A “covered account” is defined as an account that a “creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions,” and any other account that a “creditor offers or maintains for which there is a reasonably foreseeable risk to consumers or to the safety and soundness” of the creditor “from identity theft, including financial, operational, compliance, reputation, or litigation risks.”
As part of the requirements for a formal program in writing, the organization’s board of directors, or designated senior management employee in the absence of a board, must approve the initial program, and must be involved in the oversight and administration of the program. To add to the burdens, the program must provide for employee training to implement the program successfully, and effective oversight of any third-party service provider arrangements.
Address Discrepancies Contained in Consumer Reports
The consumer reports requirements are much narrower. (The deadline for compliance was November 1, 2008, but it is discussed briefly in this article to ensure awareness.) On November 1, 2008, the Red Flag Rules began requiring organizations that use consumer reports to develop and implement policies and procedures to manage discrepancies between the address received from the consumer reporting agency and the address on file with the organization. Users of consumer reports must implement policies and procedures that permit them to form a reasonable belief that the consumer report relates to the consumer about whom the user requested the report when there is an address discrepancy. Users must also implement policies and procedures for furnishing an address for the consumer that the user has reasonably confirmed as accurate to the consumer reporting agency when it has received an address discrepancy.
Some Practical Guidelines on Compliance with the Red Flag Rules
Although there are consultants happy to assist with the mechanical aspects of compliance with the Red Flag Rules, your organization may need careful legal advice to understand whether and how these rules apply to your business, and what is required to avoid penalties and lawsuits. The following are some practical guidelines to assist your organization in initiating a plan to develop a program and otherwise comply with the Red Flag Rules.
- Assemble a team of individuals empowered to act on behalf of your organization, including compliance, legal, business/operations, and others who are familiar with your payment and credit operations.
- Determine whether your organization offers or maintains covered accounts. If so, examine the covered accounts to determine how and when products or services are delivered and charged, and the Red Flags that are relevant to those accounts.
- Address how identified Red Flags should be detected and resolved. The methods developed to detect and resolve Red Flags should be appropriate for the Red Flags identified.
- Include appropriate responses to Red Flags that will assist in identity theft prevention.
- Conduct an annual risk assessment to determine whether the program requires revision to reflect changes in the risks to the organization and its clients.
- Involve the board or a senior management employee to oversee the program, including maintaining documentation that demonstrates such involvement and oversight (e.g., board meeting minutes reviewing the program, copies of program reports that the board reviewed).
- Train employees on relevant components of the Red Flag Rules and how to detect and address Red Flags. Document the content and participants of employee training.
- Monitor service providers that have access to covered accounts in their performance of services for your organization. Require those providers to have a program in place that is relevant to the services they furnish.