As most are aware, the Federal Trade Commission (“FTC”), in conjunction with federal bank regulatory agencies, has issued certain regulations (the “Red Flags Rules”) requiring financial institutions and creditors to develop and implement written identity theft prevention programs, as part of the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”). The original effective date for the Red Flag Rules was November 2008, but – due to confusion over their applicability and scope – the date has been extended several times, most recently to June 1, 2010. Thus, absent yet another extension of the effective date, all creditors with “covered accounts” must have a program in place by June 1, 2010 that provides for the identification, detection and response to patterns, practices or specific activities – known as “red flags” – that could indicate possible identity theft.
The first question any entity must address is whether the Red Flag Rules are applicable. The FTC’s definition of “creditor” is fairly broad and it includes any entity that regularly (i) extends or renews credit (or arranges for others to do so); and (ii) provides goods and services to others and allows those consumers to defer payment. The FTC has provided a list of entities to which it believes the Red Flag Rules apply; however, it cautions that the list is not exhaustive. That list includes physicians, dentists and other health care providers; accountants and lawyers; utilities; telecommunications companies; debt collectors; retailers and employee benefit plans sponsoring flexible spending account arrangements when the arrangement utilizes a debit card. Entities falling into these categories need to examine their internal operations to determine whether they hold “covered accounts.” The definition of a “covered account,” like the definition of creditor, is broad. A “covered account” can be (i) a consumer account designed to permit multiple payments or transactions or (ii) any other account that presents a reasonably foreseeable risk of identity theft.
Certain industries believe that, while well-intentioned, the FTC is seeking to apply the Red Flag Rules too broadly. For instance, the American Medical Association, the American Osteopathic Association and the Medical Society of the District of Columbia filed a federal lawsuit last Friday, May 21, 2010, alleging that the FTC exceeded its authority under FACTA by extending its provisions and implementing regulations to physicians. The medical associations argued that the regulations, as applied to physicians, are arbitrary, capricious and contrary to the law, specifically citing that physicians do not fit FACTA’s definition of “creditors,” which was primarily aimed at financial institutions. Physicians regularly provide health care services to patients and bill for those services at a later date, which, according to the FTC, makes physicians “creditors” under FACTA and thus subject to the Red Flag Rules.
The medical associations’ lawsuit follows similar suits initiated by other professions, including lawyers and accountants. In October 2009, the American Bar Association prevailed in its efforts to obtain a declaration that the Red Flag Rules could not be enforced against lawyers because lawyers were not creditors under FACTA. The FTC has since appealed the decision. The American Institute of Certified Public Accountants also filed a similar lawsuit in November 2009, although a ruling on that case is not expected until the FTC’s appeal in the American Bar Association case is resolved.
Once an entity determines that the Red Flag Rules may apply, the next issue is what must be done to comply with the regulations. In short, those entities for which the Red Flags Rules apply must develop a written program that identifies and detects the relevant warning signs, or “red flags,” of identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. The program must be managed by the Board of Directors or senior employees of the financial institution or creditor, include appropriate staff training and provide for oversight of any third-party service providers.
The Red Flags Rules are fairly flexible in that they provide all financial institutions and creditors the opportunity to design and implement a program that is appropriate to their size and complexity, as well as the nature of their operations.
All financial institutions and other entities which either extend credit or accept deferred payment from customers must thoroughly examine whether the Red Flag Rules are applicable. For those that are deemed to be creditors by the FTC, they must develop an identity theft policy that complies with the Red Flag Rules by June 1, 2010.