The increased prevalence and severity of identity theft in recent years has prompted several federal agencies,1 pursuant to Section 114 of the Fair and Accurate Credit Transactions Act of 2003, to issue regulations designed to identify “patterns, practices, and specific forms of activity that indicate the possible existence of identity theft” (the “Red Flag Regulations” or the “Regulations”).2 The commentary to the Regulations (the “Commentary”) acknowledges that while individual consumers have historically been the target of identity theft,3 small businesses and sole proprietorships also face such risks. To this end, the Regulations require covered entities to evaluate accounts held by such businesses for risks of identity theft.
The Red Flag Regulations took effect on January 1, 2008, but the Federal Trade Commission (the “FTC”) delayed mandatory compliance with their provisions until November 1, 2008, for all entities and subsequently further delayed compliance for non-bank entities until May 1, 2009. Accordingly, the scope of this Legal Alert is limited to compliance requirements for non-bank entities that should be preparing for the May 1, 2009, compliance deadline.
The risks for failure to comply with the Red Flag Regulations include civil fines up to $2,500 per violation, regulatory enforcement actions, plaintiffs’ lawsuits, and the harm to one’s business reputation.
The second part of this legal alert provides the relevant framework to be applied in determining whether an entity is a “creditor” and if so, whether the creditor offers or maintains “covered accounts,” within the meaning of the Regulations.
The last part of this legal alert provides a summary of the policies and procedures required to be included in an entity’s written Program if the entity concludes, after consulting the information contained in the second part of this legal alert, that it offers “covered accounts.” The last part of this legal alert also includes a brief section on administering a written Program.
Initial and Periodic Inquiries
At a minimum, the Red Flag Regulations require every creditor4 that offers consumer accounts,5 or accounts that “a creditor offers or maintains, primarily for personal, family, or household purposes” (the “Consumer Accounts”), to implement a written Program to minimize the risks of identity theft (the “Program”).6
If a Creditor does not offer Consumer Accounts, the Regulations mandate that such a Creditor both make an initial inquiry into and also periodically reassess whether it offers or maintains covered Accounts for which there is a “reasonably foreseeable risk of identity theft.”7
For non-consumer Accounts, a Creditor undertaking a determination of whether it offers Accounts for which there is a reasonably foreseeable risk of identity theft should consider the methods it provides to open and access its Accounts, as well as its prior experiences with identity theft. Although the Red Flag Regulations provide scant guidance to entities in making this determination, entities likely should consider the types of Accounts offered; the procedures for opening a new Account, including the types of identification information required to open such Accounts; the policies and procedures currently utilized to safeguard Account-specific information; any past instances of identity theft in connection with the opening or maintenance of any customer Accounts; and the policies and procedures used to allow customers off-site access to existing Accounts, such as through the Internet or via telephone.
The Commentary notes that the Agencies anticipate that some Creditors, such as Creditors that solely engage in business-to-business transactions, will be able to determine that they do not need to develop and implement a written Program. The Regulations do require that Creditors periodically reassess whether they must develop and implement a written Program in light of changes in the Accounts offered or maintained, even if such Creditors initially determine that any Accounts offered or maintained do not pose identity theft risks.
To leave a paper trail in the event the FTC or other applicable regulatory agency challenges the Creditor’s actions, these determinations should be made by a task force established by the board of directors. The task force should prepare a written report for board consideration outlining its findings and any recommendations it has to offer after evaluating the types of Accounts the Creditor offers or maintains. For examples of such resolutions and task force documents, please contact Jay Miller at Sutherland.
Implementation of a Written Identity Theft Prevention Program
If a Creditor determines, either after its initial inquiry or after a periodic reassessment of the Accounts it offers, that a portion of its Accounts are susceptible to risks of identity theft, or if the Creditor offers or maintains Consumer Accounts, the Creditor must implement a written identity theft prevention Program. The Program must be designed to detect, prevent, and mitigate identity theft in connection with the opening of a Covered Account or any existing Covered Account. Additionally, the Program must be appropriate to the size and complexity of the Creditor’s business, address the nature and scope of the Creditor’s activities, and be flexible to address changing identity theft risks as they arise.
Further, the written Program must be approved by the Creditor’s board of directors or an appropriate board committee. The board, a board committee, or an employee at a senior management level must be involved in the oversight, development, implementation and administration of the Program. Additionally, the board is responsible for ensuring that a Creditor’s staff has appropriate training to implement the Program and that the Program includes appropriate oversight guidelines for third-party services providers.
The four basic elements that must be included in any written Program are:
- Identifying relevant “red flags”
- Detecting “red flags”
- Responding appropriately to “red flags”
- Ensuring that the Program is updated periodically
Identifying Relevant Red Flags
A “red flag” is a pattern, practice, or specific activity that indicates the possible existence of identity theft (the “Red Flags”). Examples of Red Flags include a fraud, active duty, or “credit freeze” alert on a consumer’s credit report; the return of mail sent to the consumer as being undeliverable, although transactions continue to be conducted in connection with the Account; the use of a new revolving credit Account in a manner commonly associated with known patterns of fraud, including the use of a majority of the available credit for cash advances or merchandise that is easily convertible to cash, such as jewelry or electronic equipment; alerts, notifications, or other warnings received from consumer reporting agencies and other vendors; the presentation of suspicious documents in the opening of a Covered Account; the presentation of suspicious personal identifying information such as a suspicious address change; the unusual use of, or other suspicious activity related to, a Covered Account; and notices from customers, victims of identity theft, law enforcement authorities, or other persons. Further examples of relevant Red Flags are included in Supplement A to Appendix A of the final version of the Red Flag Regulations.8
Detection of Red Flags
A Creditor’s written Program must contain policies and procedures to detect the Red Flags that it has determined are relevant and incorporated into its Program. These policies and procedures should address the detection of Red Flags for both the opening and maintenance of Covered Accounts. Such detection requirements may be accomplished by obtaining identifying information about, and verifying the identity of, a person or entity opening a Covered Account; authenticating customers, monitoring transactions, and verifying the validity of address change requests for existing Covered Accounts; and implementing appropriate procedures to verify any information obtained in connection with the opening or maintenance of a Covered Account.
Responding to Red Flags
Any written Program must also include reasonable policies and procedures designed to respond appropriately to any Red Flags detected in order to prevent and mitigate identity theft. The degree of response required to be undertaken in the written Program should be commensurate with the degree of risk the specific instance of identity theft poses. This risk formula should include the consideration of potential aggravating factors, such as a data security breach that results in unauthorized access to a customer’s account held by the Creditor, that could heighten the risk of identity theft. Appropriate responses to the detection of Red Flags may include monitoring a Covered Account for additional evidence of identity theft; contacting the customer; changing any passwords, security codes, or other security devices that permit access to a Covered Account; reopening a Covered Account with a new number; and notifying law enforcement if the situation warrants.
Updating the Program
Creditors required to implement a written Program should periodically reassess the policies and procedures currently in place to reflect changes to the risk environment. Examples of events to consider in reassessing a Creditor’s written Program include relevant experiences with identity theft; changes in identity theft methods; changes in the methods to detect, prevent and mitigate identity theft; changes in the types of Accounts the Creditor offers or maintains; and changes in the Creditor’s business arrangements through mergers, acquisitions, or changes in vendors or services providers.
Any business currently offering credit to consumers, small businesses or sole proprietorships should ensure that it takes appropriate steps to comply with the Red Flag Regulations. Any business offering credit to consumers must implement a written Program to prevent and mitigate the effects of identity theft. In addition, businesses must undertake an initial inquiry into, and periodically reassess, whether Accounts offered or held by small businesses or sole proprietorships present risks of identity theft, and if the risk of identity theft is present, implement a written Program designed to prevent and minimize the effects of such risks.