“Red Flag” Identity Theft Programs Required by November 2008
Yesterday the Federal Trade Commission (FTC) formally reminded financial institutions and creditors of the upcoming November 2008 deadline for implementing identity theft prevention programs in compliance with the “Red Flag” Rules that were jointly adopted last year by the FTC and five other federal agencies (the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, and the National Credit Union Administration)
As explained in this advisory, all types of financial institutions and most electronic service providers (including video, Internet and voice service providers) will have “covered accounts” governed by these new rules and therefore must have designed, implemented and begun operating an internal system to detect and combat identity theft no later than November 1, 2008.
The FTC issued a gentle reminder yesterday that companies should be well along in getting their identity theft programs in place. The FTC also launched an outreach effort to explain the rules, which included publication of a very general alert on what the rules require and what types of businesses must comply.
The Identity Theft Red Flag Rules were promulgated pursuant to the Fair and Accurate Credit Transaction Act of 2003 and published in November 2007. Under the rules, financial institutions and “creditors” with “covered accounts” must have identity theft prevention programs in place and operating by November 1, 2008. The programs must identify, detect and respond to patterns, practices or specific activities that could indicate an account holder has been the victim of—or is engaged in—identity theft.
Definitions
“Financial institution” includes any state or federal bank, state or federal loan association, mutual savings bank, state or federal credit union, or any person that directly or indirectly holds a transaction account belonging to a customer. Most of these institutions are regulated by the federal bank regulatory agencies and the National Credit Union Administration.
“Creditor” includes:
- Any person or entity that regularly, extends, renews, arranges or continues credit;
- Any assignee or an original creditor who participates in the decision to extend credit; and
- Essentially anyone that bills after providing service or allows customers to defer payment.
A company that bills in advance will still be a “creditor” even if it:
- Imposes usage-sensitive charges after a service is used or provided;
- Does not immediately disconnect service for late payment or non-payment; or
- Continues to provide service while accounts are delinquent or late-paid.
The rules specifically refer to banks, finance companies, automobile dealers and mortgage brokers, as well as utility companies and telecommunications companies, which have been the subject of pre-Red Flag cases involving “creditors.” However, given current billing practices, the rules' expansive definition of “creditor” would include almost all cable television operators, Internet service providers, local exchange carriers, and any other entity that provides a service or product that is not paid for in full in advance or concurrently with receipt.
“Covered account” includes:
- An account maintained primarily for personal, family or household purposes that involves or is designed to permit multiple payments or transactions; and
- Any other account, including a business account, that poses “a reasonably foreseeable risk to customers or the safety and soundness of the . . . creditor from identity theft, including financial, operational, compliance, reputation or litigation risks.”
“Red flags” include:
- Alerts, notifications or other warnings received from consumer reporting agencies;
- Notices from consumers, victims of identity theft or law enforcement officers;
- Suspicious documents such as forgeries or a photo description that does not match a person;
- Suspicious personally identifying information (e.g., inconsistent or mismatched addresses, Social Security numbers, etc.); and
- Other events that indicate a likelihood of an occurrence of identity theft.
“Red Flag” Rule requirements
Although every financial institution and creditor with covered accounts must develop and implement a written identity theft prevention program, the FTC advised that there is some flexibility in doing so. Each company's program may be designed as appropriate to the size and complexity of the business and the nature and scope of its activities, as long as it will detect, prevent and mitigate identity theft in connection with existing and new accounts.
Each identity theft prevention program must:
- Identify red flags. Identifying red flags requires review of the types of accounts offered and maintained, the methods used to open and provide access to the accounts, and any previous experience with identity theft.
- Detect red flags. Detecting red flags requires obtaining identifying information about, and verifying the identity of, persons opening covered accounts and having a process to authenticate customers, monitor their transactions and verify the validity of change-of-address requests.
- Respond to red flags. Responding to red flags requires “appropriate responses” that prevent and mitigate identity theft. Examples include monitoring covered accounts for evidence of identity theft, contacting the consumer, changing passwords or security codes, refraining from collecting on an account or selling it to a debt collector, or notifying law enforcement.
- Be approved by the board. The company's board (or committee) must approve the identity theft prevention program and thereafter be involved directly, or through a designated senior management employee, in the oversight, development, implementation and administration of the program. In addition, the company must assign specific responsibility for implementation, train staff, audit compliance, generate annual reports and oversee anyone granted access to covered accounts.
Conclusion
The FTC and other consumer groups will be sure to monitor the implementation of and compliance with new identity theft programs. Let us know if you have any questions or would like us to assist you in creating or administering such a program.