Home > Legal Updates >

FTC Grants Three-Month Delay of Enforcement of Identity Theft Prevention Rule

The Federal Trade Commission has delayed enforcement of its new identity theft prevention rule (or “Red Flags Rule”) until August 1, 2009. The FTC, on April 30, 2009, said the move is to give creditors and financial institutions more time to develop and implement written identity theft prevention programs. The delay in FTC enforcement does not affect other federal agencies’ enforcement of the original November 1, 2008, compliance deadline for institutions subject to their oversight.

What is the “Red Flags Rule”?

For at least eight years, identify theft has been the leading crime reported to the FTC. Identity thieves use people’s personally identifying information to open new accounts and misuse existing accounts, creating havoc for consumers and businesses and costing millions of dollars. To help slow the frequency of these offenses, federal and state governments have passed numerous laws, one example being the Fair and Accurate Credit Transactions (FACT) Act of 2003.

Under the FACT Act, a number of federal agencies, including the FTC, the federal bank regulatory agencies, and the National Credit Union Administration, issued regulations (“Red Flags Rules”) to require financial institutions and creditors to develop and implement written identity theft prevention programs to detect, prevent, and mitigate instances of identity theft. These programs must be designed to provide for the identification, detection, and response to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft. Originally, the programs were required to be in place by November 1, 2008. That date was delayed to May 1, 2009, and now, to August 1, 2009.

Who is subject to the Red Flags Rule?

The Red Flags Rule applies to “financial institutions” and “creditors” with “covered accounts.”

Under the Rule, a financial institution is a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a “transaction account” belonging to a consumer. Most of these institutions are regulated by the federal bank regulatory agencies and the NCUA. Financial institutions under the FTC’s jurisdiction include state-chartered credit unions and certain other entities that hold consumer transaction accounts.

A transaction account is a deposit or other account from which the owner makes payments or transfers. Transaction accounts include checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.

A creditor is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not, in and of itself, make an entity a creditor. According to FTC guidance, examples of creditors are finance companies, automobile dealers that provide or arrange financing, mortgage brokers, utility companies, telecommunications companies, non-profit and government entities that defer payment for goods or services, and businesses that provide services and bill later, including many lawyers, doctors, and other professionals. Where non-profit and government entities defer payment for goods or services, they, too, are considered creditors. Except for creditors regulated by the federal bank regulatory agencies and the NCUA, most creditors come under the jurisdiction of the FTC.

A covered account is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. Covered accounts include credit card, margin, cell phone utility, checking and savings accounts, and mortgage and automobile loans. A covered account is also an account for which there is a foreseeable risk of identity theft – for example, small business or sole proprietorship accounts.

Why the delay in enforcement and how can I comply?

There has been a lot of confusion concerning which entities are covered by the Rule, particularly on the question of who is a creditor. During its outreach efforts, the FTC learned that some industries and entities within the agency’s jurisdiction were uncertain about their coverage and how to comply.

The agency has issued additional clarification and guidance. See, e.g., www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm, and www.ftc.gov/redflagsrule. In addition, for entities that have a low risk of identity theft, such as businesses that know their customers personally, the FTC soon will release a template to help them comply with the law.
Covered entities must develop written programs that identify and detect relevant warning signs – or “red flags” – of identity theft. These red flags may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. Red flags generally fall into five categories:

• alerts, notifications, or warnings from a consumer reporting agency;
• suspicious documents;
• suspicious personally identifying information, such as a suspicious address;
• unusual use of, or suspicious activity relating to, a covered account; and
• notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts.
  

An identity theft prevention program also must describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. The program must be managed by the Board of Directors or senior employees of the financial institution or creditor, include appropriate staff training, and provide for oversight of any service providers. Programs designed to comply with the Red Flags Rule should be appropriate to the size and complexity, as well as the nature of the operations of the covered entity.

Members of our Employee Benefits, including Complex ERISA Litigation, Workplace Privacy and Executive Compensation Practice Group can help your business to understand your obligations under the Red Flags Rule and take appropriate steps to comply.