Starting this month, the Federal Trade Commission (FTC) will begin enforcing a new law, the Red Flags Rule, to combat identity theft. It regulates most businesses that sell goods or services without a contemporaneous payment. It requires businesses to adopt written policies identifying and addressing red flags of identity theft patterns, practices or specific activities that indicate the possible existence of identity theft.
Since other laws already require businesses to safeguard personal information, the rule’s purpose is to prevent identity theft after personal information is misappropriated. Because the rule potentially applies to a universe of businesses, every business will need to understand the rule, determine whether it applies and comply, if necessary.
The rule requires any creditor maintaining covered accounts to “develop and implement a written Identity Theft Prevention Program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account.” A creditor’s administration of its program involves proper program adoption and effective enforcement, training and supervision.
The rule broadly defines a creditor as “any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.” It defines credit as “the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefore.”
Basically, anyone who sells property or services without a contemporaneous payment could be a creditor. Virtually every business, aside from pure point-of-sale retailers, falls within this definition. The definition appears to exclude retailers who merely accept as payment credit extended, renewed or continued by third parties, for example, businesses allowing payment with third-party credit cards.
However, the rule’s definitions of account and covered account clarify this point. An account is “a continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes. Account includes: (i) An extension of credit, such as the purchase of property or services involving a deferred payment; and (ii) A deposit account.”
A covered account is one the creditor offers or maintains that is itself a “continuing relationship” between the customer/debtor and the creditor allowing purchases paid for in installments and over time. This definition includes: (1) an account primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, and (2) any other account for which there is a reasonably foreseeable identity theft risk to customers or to the creditor.
Once a creditor determines that it falls within the rule’s broad scope, the program components are straightforward — identify, detect, respond and update. Identifying requires the creditor to identify relevant red flags for the accounts that the financial institution or creditor offers or maintains, and incorporate those red flags into its program. Thus, while many different businesses must comply, the rule states the program be appropriate to the size and complexity of the financial institution or creditor, and the nature and scope of its activities.
Creditors should consider several risk factors and several sources for appropriate red flags to identify. The risk factors include: (1) the types of covered accounts the creditor offers or maintains, (2) the methods the creditor provides to open its covered accounts, (3) the methods the creditor provides to access its covered accounts, and (4) the creditor’s previous experiences with identity theft. Recommended sources for red flags include: incidents of identity theft that the creditor experienced, methods of identity theft the creditor identified that reflect changes in identity theft risks, and applicable supervisory guidance.
Detection requires a creditor to establish policies and procedures to detect red flags that have been incorporated into the program. The FTC encourages adopting policies that require verifying identities, authenticating customers, monitoring transactions and verifying address changes when dealing with covered accounts.
The response requires the creditor to respond appropriately to any red flags that are detected in order to prevent and mitigate identity theft. The FTC suggests creditors consider adopting measures appropriate to their unique risks and aggravating factors, such as monitoring accounts, contacting customers, changing passwords, closing accounts, not opening new accounts and notifying law enforcement.
Updating requires the creditor to ensure the program be updated periodically to reflect changes in risks to customers, and to the safety and soundness of the financial institution or creditor from identity theft. The FTC suggests periodic program review and update to determine changes internal to the creditor and with evolving methods of identity theft and handling.
According to the FTC, there is no private right of action under the rule. However, consumers can file a complaint with the FTC about a company’s program, and the FTC intends to use such complaints to target its law enforcement efforts. Only certain agencies have jurisdiction to enforce the rule, but they have a variety of options at their disposal to ensure compliance, including penalties of up to $3,500 per violation, and injunctions.
Businesses should evaluate the rule’s applicability and, if necessary, implement a compliant program to avoid sanctions. At a bare minimum, the rule requires any creditor to periodically review its operations to assess whether the rule applies to it. Indeed, the FTC suggests that even low-risk businesses should adopt a minimal program. The FTC has published “Fighting Fraud With The Red Flags Rule: A How-To Guide For Business” to help companies interpret and apply the rule. The guide is available at www.ftc.gov/redflagsrule.