I. IDENTITY THEFT – A GROWING CONCERN

There can be no dispute that identity theft is a growing concern across the United States and abroad. In fact, the Federal Trade Commission (FTC) estimates that as many as 9 million Americans have their identities stolen each year. Identity thieves continue to develop new levels of sophistication associated with the misuse of personally identifying information such as names and Social Security numbers, credit card numbers, or other financial account information. The crime of identity theft has affected millions of individuals’ credit scores, financial security, and pocketbooks.

In light of this growing concern over identity theft, it should be no surprise that the federal government is constantly upgrading and revising its legislative efforts to combat identity theft. Given these recent legislative efforts, businesses whose customers’ run the risk of identity theft must ask: How will these new federal regulations impact the way we do business? What can we do to protect our customers or clients from the risk of identity theft? Do new federal identity theft regulations apply to our business? And What will the federal government require of us in order to comply with new regulations directed toward identity theft?

II. DEVELOPMENT OF THE “RED FLAGS” RULE

In an attempt to crack down on identity theft, the FTC, the federal bank regulatory agencies, and the National Credit Union Administration (NCUA), are requiring that certain businesses, banks, and other covered entities implement “Identity Theft Protection Programs.” In reality, the “Red Flags Rule” has been effect since January 1, 2008, with an original implementation deadline of November 1, 2008. However, revisions to the regulations and debate over entities covered by the Red Flags Rule had delayed the implementation deadline to December 31, 2010.

The Rule requires that all organizations subject to the Fair and Accurate Credit Transactions Act of 2003, that provide and/or maintain “covered accounts”, must develop and implement Identity Theft Protection Programs designed to help detect and prevent identity theft. The two main categories of covered entities required to have such programs are creditors and financial institutions. However, the Rule has rather expansive definitions of what constitutes a creditor and financial institution, and therefore the regulations may encompass entities not commonly viewed as a creditor or financial institution. As such, it is critically important for any business to first determine whether it fits within the parameters of coverage under the Red Flags Rule.

The definition of a “creditor” includes businesses or organizations that regularly defer payments for goods or services or provide goods or services and bill customers later. Examples of such creditors include utility companies, cell phone companies and health care providers. The definition also includes entities which regularly grant loans, arrange for loans or the extension of credit, or make credit decisions. Mortgage brokers, automobile dealers, and retailers may all fall within this definition. The Rule defines a “financial institution” as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other person that, directly or indirectly, holds a transaction account belonging to a consumer.

Once a business determines whether it falls into one of the above covered categories, the business will need to determine whether it provides or maintains “covered accounts” subject to the Rule. A covered account is an account used primarily for personal, family, or household purposes, and that involves multiple payments or transactions. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, utility accounts, checking accounts, and savings accounts. Also, a “covered account” includes an account for which there is a foreseeable risk of identity theft such as small business or sole proprietorship accounts.

III. IMPLEMENTING THE IDENTITY THEFT PREVENTION PROGRAM

If a business offers “covered accounts” and is therefore subject to compliance with the Red Flags Rule, it must then determine how to comply with the Rule. There is no cookie-cutter or one-size-fits all program required by the Red Flags Rule. The Rule allows each company to tailor its program to the possible risks and exposures its clients and customers might encounter. A business might have a high risk of identity theft which would require it to have a more complex set of policies and procedures on how to detect, mitigate, prevent, and remedy identity theft occurrences. However, the programs should be based on the type of covered accounts a business provides, the complexity of these accounts, and the amount of potential exposure these accounts have to identity theft.

The federal regulations have developed a framework to provide guidance for covered entities required to implement these identity theft prevention programs. There are four basic elements of the framework: (1) develop written policies and procedures to identify the “red flags” or warning signs of identify theft your business may encounter, (2) the program must be able to detect the red flags identified in your policies and procedures, (3) the program must spell out the appropriate response your business will take when a red flag is detected, and (4) the program must be reviewed andupdated periodically to reflect the ever-changing threats of identity theft.

An Identity Theft Prevention Program should be more than just a list of possible red flags your business might encounter, because identification alone will not help prevent or mitigate identity theft. Appropriate staff training is required to ensure that employees are aware of the red flags, how to detect and prevent them, and how to adequately respond when they encounter a possible theft. Moreover, employee training is critical because the individuals on the front line are likely to have the most interaction with customers and their “covered accounts”. The written ITPP is also required to provide a description of the appropriate response when encountering a potential identity theft occurrence, a detailed plan on how the program will be periodically updated, and the manner in which the program will be managed by the businesses’ board of directors or senior employees.

IV. RISK FACTORS AND WARNING SIGNS FOR IDENTITY THEFT

In developing the ITPP, it is important not to get lost in the minutia required under the federal regulation; but to keep in mind the general purposes and goals of the Red Flag Rule. To this end, the federal regulations offer some helpful risk factors and warning signs to assist in ferreting out illegal identity theft. Although there are some common risk factors to take in account when detecting red flags, these risk factors will vary depending on the type of covered account a particular business provides. Some common risk factors to consider are: the types of covered accounts you offer or maintain, the methods used to open accounts, how you provide access to those accounts and previous experiences the business has had with identity theft.

Additionally, there are five main categories of warning signs for suspicious activity potentially related to identity theft: alerts and notifications from a credit reporting company about current methods of identity theft; suspicious documents; suspicious personal identifying information; suspicious account activity; and notices from other sources like a customer or law enforcement agency. This list is not exhaustive, but a good place to start when trying to detect red flags and develop an effective Identity Theft Protection Program.

V. WHAT SHOULD YOUR BUSINESS DO?

Many creditors and financial institutions may already have a similar protection system in place to help combat identity theft. However, the final sections of the regulation take effect on December 31, 2010, and will require a separate Identity Theft Protection Program where current programs are not compliant with the Red Flag Rule. The program may, however, reference other policies already in existence to avoid unnecessary duplication.

Compliance with the Red Flags Rule need not be a costly and burdensome endeavor. However, the content of this brief Alert only covers the tip of the iceberg in terms of the requirements of the new federal regulations and what is required of a businesses’ written ITPP. Any specific inquiries, as well as evaluation of the ITPP for compliance with the federal regulations, should be directed to competent legal counsel.

Any questions relative to the Red Flags Rule, how to develop and implement an Identity Theft Protection Program, and whether your business is covered by the Red Flags Rule, can be addressed to a member of Reminger’s Finance and Creditors Rights Practice Group listed below. Please contact a member of our Practice Group for further information regarding the Red Flags Rule or other general inquiries related to Finance and Creditors rights.

Jump to Page

By using this site, you agree to our updated Privacy Policy and our Terms of Use