The Federal Trade Commission (FTC) has issued a new rule requiring all financial institutions and “creditors” to implement programs to detect, prevent and mitigate instances of identity theft. This “Red Flags Rule” goes into effect as of November 1, 2009.
Requirements of the Rule
The Rule requires that all financial institutions and creditors develop, implement and administer an Identity Theft Prevention Program (the “Program”), which must include four basic elements:
First, the Program must include reasonable policies and procedures to identify the “red flags” of identity theft that may arise in the day to day operation of your business. Red flags are suspicious patterns or practices, or specific activities, that indicate the possibility of identity theft. For example, if a customer has to provide some form of identification to open an account, an ID that appears to be fake would be a “red flag” for your business.
Second, the Program must be designed to detect the red flags that you’ve identified as arising in your business. For example, if you’ve identified fake IDs as a red flag, you must develop procedures to detect possible fake, forged or altered identification.
Third, the Program must spell out appropriate actions you’ll take when you detect red flags. For example, the protocols to follow once you have detected a fake ID (e.g., confiscating the fake ID and contacting authorities).
Fourth, because identity theft is an ever-changing threat, the Rule requires you to address how you plan to re-evaluate the Program periodically to reflect new risks that have arisen related to identity theft.
The Rule also sets out requirements on how to incorporate the Program into the daily operation of your business. Your board of directors (or a committee of the board) must approve the initial written Program. If your company does not have a board of directors, the Program must be approved by the president, chief operating officer, or another appropriate senior-level employee. The Program must state specifically who is responsible for implementing and administering it, and must provide for appropriate staff training. If you outsource or subcontract parts of your operations, the Program must address how your company will monitor the compliance of all contractors.
Who Must Comply with the Rule?
The Red Flags Rule applies to “financial institutions” and “creditors.” The Rule requires you to conduct a periodic risk assessment to determine whether or not you have any “covered accounts.”
The Rule defines “financial institution” as including: (i) all banks, savings associations, and credit unions, regardless of whether they hold a transaction account belonging to a consumer; and (ii) any other person or organization that directly or indirectly holds a transaction account belonging to a consumer. Accordingly, all banks, savings associations, and credit unions are covered by the Rule as “financial institutions,” whether or not they hold a transaction account belonging to a consumer.
The definition of “creditor” is broad and includes any businesses or organizations that regularly defer payment for goods or services or provide goods or services and bill customers later. Thus, utility companies, health care providers, telecommunications companies and even some professional service providers are all among the entities that may fall within this definition, depending on how and when they collect payment for their services. The Rule further defines “creditor” as one who regularly grants loans, arranges for loans or the extension of credit, or makes credit decisions. This would include finance companies, mortgage brokers, real estate agents, automobile dealers, and retailers that offer financing or help consumers get financing from others, like by processing credit applications. Finally, the definition also includes anyone who regularly participates in the decision to extend, renew, or continue credit, including setting the terms of credit. For instance, a third-party debt collector who regularly renegotiates the terms of a debt would also fall within the definition of “creditor.”
Once you have concluded if your business or organization is a financial institution or creditor, you must determine whether you have any “covered accounts.” The definition of this term under the Rule points to two categories of accounts, and requires you to examine both existing and new accounts in determining whether your business has any “covered accounts.” The first type of “covered account” is a consumer account you offer your customers that is primarily for personal, family or household purposes that involves or is designed to permit multiple payments or transactions. For instance, a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account and/or savings account is a “covered account.”
The second type of “covered account” includes “any other account that a financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.” Thus, this type of “covered account” would include small business accounts, sole proprietorship accounts, or single transaction consumer accounts that may be vulnerable to identity theft. Unlike consumer accounts designed to permit multiple payments – which are always “covered accounts” under the Rule – other types of accounts will only be considered “covered accounts” if the risk of identity theft is reasonably foreseeable.
In determining whether or not accounts are covered under the second category, consider how they are opened and accessed. For instance, if an account can be accessed remotely (such as through a telephone or computer) there could be a reasonably foreseeable risk of identity theft. The risk analysis should include consideration of any actual instances of identity theft.
If your business has no covered accounts, it is not required to have a written Program. However, it is important to conduct a periodic re-evaluation of the services and accounts provided by your company to determine whether or not you have acquired any covered accounts.
Penalties for Non-Compliance
Once enforcement begins on November 1, 2009, financial institutions and creditors may be subject to penalties of $2,500 per violation of the Rule.
This Client Alert is a summary only, prepared for general informational purposes, and is not an exhaustive description of the Red Flags Rules. Nothing in this letter is intended or is to constitute a legal opinion or legal advice of the undersigned or Meyers, Roman, Friedberg & Lewis.
If you would like to discuss how these changes affect you or your business, or for a fuller description of the new Red Flag Rules, please contact:
Sarah M. Duffy, Esq. – 216-831-0042 ext. 191 – firstname.lastname@example.org
John R. Seeds, Esq. – 216-831-0042 ext. 174 – email@example.com
MEYERS, ROMAN, FRIEDBERG & LEWIS
28601 Chagrin Blvd., Ste. 500
Cleveland, Ohio 44122