JULY 29, 2009, Update
On Wednesday, July 29, 2009, the FTC extended the enforcement deadline for the Red Flags Rule for combating identity theft until November 1, 2009. For more information about the extension, please visit http://www.digestiblelaw.com/datasecurity/blogQ.aspx?entry=6070&id=34
OCT. 24, 2008, UPDATE
On October 22, 2008 the FTC announced that it would suspend enforcement of its new "Red Flag Rules" for combating identity theft for six months, which gives entities subject to the rule until May 1, 2009 to implement a written "Red Flag Program" to detect, prevent and respond to threats of identity theft in connection with accounts covered by the rules. In its Enforcement Policy Statement that accompanied the announcement, the FTC stated that:
[S]ome industries and entities within the FTC’s jurisdiction have expressed confusion and uncertainty about their coverage under the rule. These entities indicated that they were not aware that they were undertaking activities that would cause them to fall within FACTA’s definitions of “creditor” or “financial institution.” Many entities also noted that because they generally are not required to comply with FTC rules in other contexts, they had not followed or even been aware of the rulemaking, and therefore learned of the requirements of the rule too late to be able to come into compliance by November 1, 2008.
Thus, the FTC delayed its enforcement date in order to provide businesses ample time to bring their policies and procedures into compliance with the new rules.
For more information about the Red Flag Rules and how they might affect your business, please contact us with questions.
Joe Cutler: 206-539-6014
Veronica McGregor: 415-344-7062
Summary of Red Flag Rules Amending the Fair Credit Reporting Act
The Fair Credit Reporting Act ("FCRA") was amended on November 9, 2007 to impose a responsibility on financial institutions and creditors to create, approve, implement, oversee, and update a written program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing account.
The final rules were actually implementing regulations for the Fair and Accurate Transactions Act of 2003 ("FACTA"), and were developed and implemented jointly by: the Department of the Treasury, the Federal Reserve, the FDIC, the National Credit Union Administration, and the FTC ("the Agencies"). Accordingly, the same basic rules (with scopes tailored to include each Agency's covered entities) have been implemented in each of the Agency's regulations. The Final Rule, entitled "Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Transactions Act of 2003," can be found in the Federal Register, Vol. 72, No. 217 (November 9, 2007).
The original rules required covered entities to be compliant by November 1, 2008. On October 22, 2008 the FTC issued an Enforcement Policy Statement that delayed enforcement of the Red Flag Rules until May 1, 2009 to provide business ample time to bring their policies and procedures into compliance with the new rules.
Who is Covered by the Rule?
Under the final rule, only those financial institutions or creditors that offer or maintain "covered accounts" must develop the written program.
While the rule maintains the standard definitions of "financial institution" from the Fair Credit Reporting Act ("FCRA"), and "creditor" from the Equal Credit Opportunity Act, the final rule expressly adds a list of examples to its definition of "creditors" to include lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. This definition expands traditional notions of coverage to include utility accounts and cell phone accounts. Such examples indicate that the FTC intends to cast a wide net to all accounts that are paid in multiple payments or transactions.
In addition, the final rule modifies the definition of account and introduces the term "covered account," which includes: (1) an account primarily for personal, family or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account; or (2) any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation or litigation risks. The second prong of this definition reflects the concern that other types of accounts, such as small business accounts or sole proprietorship accounts, may be vulnerable to identity theft and should be considered for coverage by the written program.
The final rule requires financial institutions and creditors that offer or maintain covered accounts to develop and implement a written program to counter the risk of identity theft. To provide flexibility and ease the compliance burden for smaller financial institutions and creditors, the rule states that the program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities. The risk-based nature of the final rule also allows each financial institution or creditor to evaluate which accounts should be covered by the program. In making this determination, financial institutions and creditors should periodically conduct a risk assessment of its consumer and business accounts, taking the following factors into consideration: (1) the methods it provides to open its accounts; (2) the methods it provides to access its accounts; and (3) any previous experiences with identity theft.
What the Program Requires
The red flag program ("Program") must combat both actual and attempted identity theft. Following is a summary of the required aspects of the Program:
Step One: Identification of Red Flags. The Program should include reasonable policies and procedures to identify relevant Red Flags for the covered accounts that the entity offers or maintains. The Rule does not specify which "Red Flags" are relevant to any particular entity (or mandatory to monitor, for that matter), thus placing the onus on the entity to determine what flags are most relevant. The Rule and each implementing regulation provide a section containing supplemental guidelines that includes a list of Red Flag categories and examples to help entities complete this aspect of their Programs. Specifically, the factors that entities should consider when identifying Red Flags are:
- The types of covered accounts they offer or maintain;
- The methods they provide to open covered accounts;
- The methods they provide to access covered accounts; and
- Their previous experience with identity theft. Specifically, entities should consider any Red Flags that directly relate to previous experiences with identity theft as relevant Red Flags.
Step Two: Detecting Red Flags. The Program must contain reasonable policies and procedures to detect the Red Flags that entities have incorporated into their Programs. Section III of the supplemental guidelines provides examples of various means to detect Red Flags. It says that the Program should address detection in connection with the opening of covered accounts, such as by obtaining identifying information about, and verifying the identity of, a person opening such an account; it also says that the Program should address detection in existing accounts by deploying proper authentication protocols, monitoring transactions, and verifying the validity of change of address requests.
Step Three: Responding to Red Flags once they are detected. The Program must ensure, through its policies and procedures, that entities "respond appropriately" to any Red Flags that are detected by the Program, and that the response actually mitigates identity theft. The Rule makes clear that an appropriate determination that no response is warranted (false Red Flags, for example) will be an "appropriate response" wherever the facts support such a determination.
Step Four: Updating the Program. The Program must be updated periodically to ensure that the relevant Red Flags are included to reflect changes in risks to customers and/or to the entity from identity theft.
Step Five: Administration of the Program. Entities must take several steps to administer the Program, including:
- Obtaining approval of the initial written Program. The Board of Directors of an entity, or an appropriate committee designated by the Board must approve the initial written program. Subsequent management, oversight, and implementation of the Program may be delegated. The supplemental guidelines note that such oversight should include assigning specific responsibility for the Program's implementation and reviewing reports prepared by staff on compliance. Changes to the Program after initial approval do not include Board Approval. Reports regarding the Program's effectiveness, changes to the Program, and Program activity should be prepared at least annually.
- Training Staff. Entities must train staff, as necessary, to effectively implement the Program.
- Oversight of Third Party Service Provider Arrangements. The Rule clearly states that covered entities cannot outsource their compliance obligations and liability just because they outsource services to third parties. The rule states that third party arrangements that affect covered accounts must include protective provisions, procedures and policies to detect, prevent, and mitigate the risk of identity theft.
Rules for Users of Consumer Reports from Consumer Reporting Agencies ("CRAs")
The rule requires users of consumer reports (i.e., credit reports) obtained from nationwide CRAs that regularly report credit data back to the CRA to develop reasonable policies and procedures for furnishing the proper address for a consumer to a CRA where the CRA notifies the user of a discrepancy between the address provided by the user when ordering the report and the address on the report returned to the user. The rule requires all users (whether or not they report credit data back to the CRA) to verify the correct address of the consumer through means that establish a "reasonable belief" that it is valid before using a report that came with an advisory from the CRA that the addresses did not match. Some measures that entities can use to verify addresses include:
Verifying the address with the person to whom the consumer report pertains;
Reviewing its own records of the address provided to request the consumer report; or
Verifying the address through other third-party sources.
Special Rules for Card Issuers
The Rule also includes special rules for issuers of credit and debit cards. The rule covers issuers of payroll cards, credit cards, debit cards, and debit cards for home equity lines of credit. The rule does not cover prepaid stored value cards. The rule does, however, extend to cards extended to individuals for business purposes (i.e., sole proprietors, etc.).
According to the rule, a card issuer that receives an address change notification and, within 30 days, a request for an additional or replacement card, may not issue an additional or replacement card until it has notified the cardholder or has otherwise assessed the validity of the change of address in accordance with the rule. To be clear, the Rule does not require entities to validate an address every time a customer requests a new or replacement card; validation is only required when the card request occurs within 30 days of an address change.
The notice that a card issuer must give must be clear, conspicuous, and separate
from its regular correspondence with the cardholder.