You may be surprised to that learn your business must comply with the new identity theft Red Flag Rules. Not only are credit card companies and financial institutions subject to these rules, but any company that regularly extends or merely arranges for the extension of credit is also subject to the rules. Thus, finance companies, mortgage brokers, automobile dealers, telecommunications companies, and utility companies, among others, will have to comply with the Red Flag Rules. If your company extends or arranges for the extension of credit, you have only until November 1, 2008, to become compliant with the Red Flag Rules.

Background

On December 4, 2003, the President signed into law the Fair and Accurate Credit Transactions Act ("FACTA"). FACTA was enacted by Congress to provide consumers with increased protection from identity theft. The regulations directed six agencies to jointly "establish and maintain guidelines…[that] identify patterns, practices, and specific forms of activity that indicate the possible existence of identity theft."[1] Accordingly, the six agencies published the final regulations on November 9, 2007, and those regulations became effective January 1, 2008.[2] However, compliance with the regulations is not mandatory until November 1, 2008.[3]

The final regulations contain three parts. First, they require covered entities to create a written identity theft program designed to detect, prevent, and mitigate identity theft in connection with certain covered accounts (the "Red Flag Rules" or the "Rules"). Second, the regulations impose requirements on consumer reporting agencies related to discrepancies between an address contained in a request for a consumer report and the address in the consumer reporting agency's file. Third, the regulations impose requirements on debit and credit card issuers to implement procedures to assess the validity of address changes under certain circumstances. This Commentary focuses on only the Red Flag Rules portion of the regulations.

Covered Entities

The Red Flag Rules cover "financial institutions" and "creditors" that offer or maintain "covered accounts." The breadth of the Rules comes from the broad definition of creditors. The term "creditor" means "any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit."[4] Consequently, many entities involved in the process of extending or maintaining credit must comply with the Red Flag Rules despite the fact that they do not extend credit themselves. For example, a retailer that takes applications for a third-party credit card or the car dealer that partners with a local bank branch to facilitate car loans will likely be subject to the Rules. Similarly, where nonprofit and government entities, such as many hospitals, defer payment for goods and services, they too will be considered creditors.

In addition to creditors, financial institutions are also required to comply with the Red Flag Rules. For purposes of the Rules, "financial institution" means banks, savings and loan associations, mutual savings banks, credit unions, or any other person who, directly or indirectly, holds a transaction account belonging to a consumer.[5]

Under the Red Flag Rules, only those creditors and financial institutions that offer or maintain covered accounts are required to develop and implement an identity theft prevention program. A "covered account" is "(i) [a]n account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions…and (ii) any other account…for which there is a reasonably foreseeable risk to customers…from identity theft…."[6] Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, and checking and savings accounts. In determining whether the Red Flag Rules apply, a company should consider the types of accounts it offers, the methods it provides to open its accounts, the methods it provides to access its accounts, and its previous experiences with identity theft.[7] Additionally, the company should periodically perform a reassessment of all of its accounts to determine whether they are covered accounts that trigger the application of the Rules.

Designing a Program

Companies subject to the Red Flag Rules must design and implement a written identity theft prevention program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account.[8] The Rules do not specify the contents of the program that must be adopted. They give companies a lot of flexibility and merely require that a company design and implement a program that is appropriate to the size and complexity of the company and the nature and scope of its activities.

The Red Flag Rules do require identity theft prevention programs to include "reasonable policies and procedures" to identify relevant red flags and incorporate them into the program, to detect those red flags, to respond appropriately when red flags are detected, and to ensure that the program is updated periodically. Each of these elements is discussed below.

Identify Relevant Red Flags. The first element in the identity theft prevention program, as required by the Red Flag Rules, is to determine which red flags are relevant to the company and incorporate those red flags into its program.[9] "Red flags" are patterns, practices, or specific activities that indicate the possible existence of identity theft in connection with a covered account. The company should examine the covered accounts it currently offers or maintains and identify potential sources of red flags. The Rules include a set of guidelines that must be considered in implementing a program and set forth 26 examples of potential red flags. While not all 26 of the example red flags must be incorporated, the company should seriously consider each and have legitimate reasons for not incorporating any of them in the final written program. The company should also take into account its previous experience with identity theft in determining the appropriate red flags for its program. Some examples of red flags include:

  • an application appears to have been forged, altered, or destroyed and reassembled;
  • a consumer report includes a fraud alert, credit freeze, or address discrepancy;
  • a change of address notice is followed shortly by a request for a new credit card, bank card, or cell phone;
  • the Social Security number supplied by an applicant is the same as that submitted by another person opening an account;
  • the address or telephone number supplied by an applicant is the same or similar to the account number or telephone number submitted by an unusually large number of other persons;
  • the financial institution or creditor is notified that the customer is not receiving account statements; and
  • an account that has been inactive for a reasonably lengthy period of time is used.

Detect Red Flags. The company should implement procedures to detect the identified red flags. The company should be sure to verify the identity of persons opening new covered accounts and should authenticate customers with existing covered accounts.[10] The company can refer to the verification procedures set forth in the Customer Identification Program rules that apply to financial institutions for guidance.[11]

Establish Response Procedures. The company should develop appropriate policies and procedures to respond to any red flags that are detected. The response should be commensurate with the degree of risk posed, which may include monitoring an account, contacting the customer, changing passwords, or notifying law enforcement. In some situations, it may be appropriate to determine that no response is necessary.[12]

Ensure the Program is Updated Periodically. It is important for the company to periodically update its program to reflect changes in risks. The company must keep current with changes in identity theft and, as necessary, utilize new methods of combating identity theft. Additionally, the company should be aware that risks may change when it alters its business arrangements or modifies the types of accounts it offers.[13]

Methods for Administering the Program

Approval of the initial written program must be obtained from the company's board of directors or an appropriate committee thereof.[14] Oversight of the implementation of the program must be done by the board, a board committee, or a designated employee at the level of senior management.[15] This oversight also includes reviewing reports and approving material changes to the program.[16] If the company has any arrangements with service providers, it must ensure that any service provider's activity with regard to covered accounts is performed in accordance with policies and procedures designed to detect, prevent, and mitigate the risk of identity theft.[17]

Consequences of Noncompliance

Failure to comply with the Red Flag Rules can result in various penalties. Consequences may include a civil money penalty for each violation, regulatory enforcement action, and negative publicity.[18] Although the Rules do not allow for any private legal action,[19] there is the potential for private plaintiff lawsuits because a violation of federal rules may itself be a violation of state laws. These state laws may permit actions by consumers or state attorneys general. In any event, it is likely that, over time, the Red Flag Rules will become a de facto standard of care applied to determine whether a company has negligently caused a customer's identity to be stolen.

Conclusion

In general, the new Red Flag Rules require companies with covered accounts to take reasonable measures to ensure the safety of sensitive consumer information. The Rules are intended to detect, prevent, and mitigate the risk of identity theft, but they do not require companies to adopt any particular policy or procedure. Rather, companies can scale their programs to match the size, complexity, and nature of their businesses. The process a company follows in adopting its identity theft prevention program will go a long way toward establishing that the program is reasonable. At a minimum, a company should be capable of justifying the policies and procedures it adopts by demonstrating it has seriously considered the pertinent risks and has attempted to minimize them.