The Red Flag Rules, issued by the Federal Trade Commission (“FTC”) and other regulatory bodies, become effective November 1, 2009, and require certain entities to establish programs that facilitate the detection, prevention and mitigation of identity theft.
What entities are subject to the Red Flag Rules?
The Red Flag Rules apply to financial institutions and creditors that create and maintain covered accounts (defined below). At first blush, an entity may think that it is not subject to the Red Flag Rules because it is not a credit card company or financial institution. However, although the Red Flag Rules certainly apply to financial institutions, they also apply to any “creditor.” The definition of “creditor” is broad. It includes any entity that regularly (1) extends or renews credit (or arranges for others to do so); and (2) provides goods and services to others and allows the consumer to defer payment. The ultimate consumer need not be an individual.
The FTC has provided a list of entities to which it believes the Red Flag Rules apply; however, the FTC cautions that its list is not exhaustive. Briefly, the FTC considers the following groups as prime candidates for Red Flag Rule compliance:
- Doctors, dentists, and other health care providers;
- Accountants and lawyers;
- Telecommunications companies;
- Debt collectors;
- Retailers; and
- Employee benefit plans sponsoring flexible spending account arrangements when the arrangement utilizes a debit card.
Entities falling into these categories will need to evaluate their obligation to comply with the Red Flag Rules. As described below, the determination will be based in part upon the risk of identity theft among the accounts the entity holds.
The formal obligation to comply with the Red Flag Rules apply to entities with covered accounts. Therefore, all entities should, as an initial matter examine their internal operations to make sure that they do not create or maintain covered accounts. The definition of a covered account, like the definition of creditor, is also broad. A covered account can be (1) consumer accounts designed to permit multiple payments or transactions; or (2) any other account that presents a reasonably foreseeable risk from identity theft. However, even businesses that have determined they do not have covered accounts still must conduct periodic risk assessments to ascertain whether any changes to that determination have occurred.
Summary of Guidelines for Compliance
The regulations provide guidelines for the development of an identity theft plan. These guidelines are summarized below:
1. Identify relevant red flags. The relevant red flags will likely vary from business to business. It is important to identify red flags based on past experiences, especially any past experience with identity theft. It will be important to evaluate the type of consumer credit accounts that the organization holds. If the organization already has an identity theft policy that policy, should be analyzed and incorporated, as appropriate, into the new program. After an internal review, the organization should evaluate the list of red flags identified in the regulations. The regulations list 26 potential red flags which are organized into the following categories:
- Alerts, notifications or warnings from a consumer reporting agency;
- Suspicious documents;
- Suspicious personal identifying information;
- Unusual use of, or suspicious activity related to, the covered account; and
- Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft.
2. Detect red flags. The organization should implement the appropriate policies and procedures to ensure that the potential red flags previously identified are indeed detected. Generally this will consist of requiring appropriate identification when opening new accounts and verifying identification on existing accounts. Change of address requests should be appropriately verified. Further, accounts should be monitored to ensure that suspicious usage patterns are detected. Detection techniques will largely depend upon the types of red flags the organization has identified as potential problems.
3. Prevent and mitigate identity theft. If a red flag is identified then the organization must take appropriate steps to prevent any loss or breach or, at the least, mitigate any damage. Appropriate responses may include:
- Monitor an account for evidence of identity theft;
- Contact the customer;
- Change passwords, codes or other security devices that permit access to the account;
- Reopen an account with a new number;
- Refuse to open a new account;
- Close an existing account;
- Refrain from collecting on an account;
- Notify law enforcement; or
- After evaluating the situation, determine that no response is warranted.
4. Update your identity theft policy. Methods of identity theft, the technology used in the detection of identity theft, the types of business relationships (for example, the type of accounts maintained) and the experiences of the organization will invariably change over time. Thus, the policy should be updated annually. It is recommended that the board, a committee of the board or a senior, high-level manager be assigned direct oversight of the entity’s identity theft program. This person or group should receive regular reports including an evaluation of the effectiveness of the policy, a description of any significant incidents of identity theft and any recommended changes to the policy.
The contents of this client alert address only the Federal law on Red Flag Rules. Some states have similar laws. For example, in Wisconsin, entities must notify individuals whose personal information has been acquired by an unauthorized party, of the disclosure. As such, all entities should take steps to ensure that the Red Flag Rules (and any complementary state laws) are inapplicable to their operations or that they are compliant.
Please contact one of the authors of this alert should you have any questions regarding compliance with the Red Flag Regulations or if we can provide assistance with drafting an Identity Theft Policy for your organization.