Is Your Business Ready for the Red Flags Rule?
Just a few days before the scheduled August 1, 2009 compliance deadline for the Red Flags Rule (sometimes referred to as the “Rule”), the Federal Trade Commission (FTC) extended the deadline to November 1, 2009. This is the third delay of enforcement of the Red Flags Rule and is likely to be the last. The FTC indicated that it had extended the deadline to further educate small businesses and other entities about the Red Flags Rule and how to comply with its requirements.
What is the Red Flags Rule?
The Red Flags Rule implements certain sections of the Fair and Accurate Credit Transactions (FACT) Act of 2003, which directed the FTC to devise regulations to help “detect, prevent and mitigate instances of identity theft.” The Red Flags Rule requires that businesses covered by the Rule establish and adhere to written identity theft prevention programs as a means of combating the scourge. Identity theft is a rapidly expanding and costly problem in the retail, financial, healthcare and other consumer focused sectors of the economy. In 2008 alone, identity theft cost approximately $48 billion and, at the current rate, one in five Americans have had or will have their identity stolen. Identity theft also can wreak havoc with one’s credit that can take years of time and effort to repair. Medical identity theft has also become a significant problem. Perpetrators of medical identity theft use others’ medical identities to obtain illegal and fraudulent treatment, purchase addictive drugs, and obtain free treatment, among other things. And more troubling, medical identity theft can lead to loss or denial of coverage and improper treatment based on erroneous medical history and can result in injury or even death to the patient. Through implementation and enforcement of the Red Flags Rule, the FTC hopes to slow the pace of the serious financial and life consequences that can result from financial and medical identity theft.
Who Does the Red Flags Rule Apply To?
The Red Flags Rule applies to “creditors” with “covered accounts” and “financial institutions” (i.e., banks, savings and loans, credit unions, and other entities that hold deposits belonging to customers). A “creditor” is defined in the Rule as any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. There are two types of “covered accounts.” First, any account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. Second, any other account that a financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk of identity theft.
Many enterprises have been under the mistaken impression that the Rule does not apply to them if they do not extend credit to their customers or access their customers’ credit reports, or they deal primarily with business customers. However, because the definitions of “creditor” and “covered accounts” are very broad, most of these unsuspecting enterprises are likely subject to the Rule. For example, a retailer that does not sell on account but does take applications for a third-party credit card will likely be subject to the Rule. Indeed, in guidance and other recent correspondence and pronouncements, the FTC has taken the position that the Rule can apply to a broad array of for profit and non-profit enterprises, including healthcare institutions, law firms, retailers, manufacturers and other businesses that do not require immediate payment for their goods or services. Generally speaking, if your business sends invoices to its customers or clients, it will likely be subject to the Red Flags Rule.
How to Comply with the Red Flags Rule
In order to comply with the Red Flags Rule, the Board of Directors or other governing body of your enterprise must approve a written Identity Theft Prevention Program (Program) that is designed to detect, prevent and mitigate identity theft by November 1, 2009. Although the Rule does not specify the contents of the Program that must be adopted, the Program must include reasonable policies and procedures designed to combat and mitigate the effects of identity theft. The FTC has devised a four step process to help enterprises develop and maintain their Programs:
- Step 1 – Identify Relevant Red Flags
- Enterprises must determine which “red flags” (i.e., situations, circumstances or patterns that will alert them to potential instances of identity theft) they are most likely to encounter and incorporate them into the Program. For example, a customer or patient that has multiple addresses in a short period of time or notification that an individual has placed a hold on his or her credit history or use of a long inactive account could be “red flags” included in the Program.
- Although the Rule does list 26 common red flags, it does not mandate that such red flags be used in a particular Program, because the enterprise is in the best position to establish the red flags applicable to its business and because identity theft techniques are constantly evolving.
- Step 2 – Detect Red Flags
- Enterprises should establish procedures for detecting red flags during day-to-day operations. For example, the enterprise should verify the identity of new customers and authenticate the identity of existing customers.
- Step 3 – Respond to Red Flag Activities
- Enterprises should establish appropriate protocols for preventing and mitigating detected identity theft. Monitoring the account, contacting the customer, and notifying law enforcement could be appropriate responses.
- Step 4 – Update the Program
- Enterprises need to update their Programs periodically so as to incorporate new risks of identity theft. In other words, this is not a “put it in the drawer” type of regulation, as the methods of achieving identity theft are constantly changing.
Although the Rule does cast a wide net, its risk-based approach gives enterprises the flexibility to scale their Programs to the size, complexity and nature of their business. For low risk enterprises, the FTC has devised a special template that further streamlines Program implementation (The template is available on the FTC’s website www.ftc.gov). Of course, an enterprise must first determine that it is low risk and the FTC has suggested that such a determination may be demonstrated by factors such as knowing customers personally, providing services at customers’ homes, and having little or no experience with fraud in the past. This list is not exhaustive and other factors may assist in determining whether a specific enterprise is low risk.
What are the Consequences of Non-Compliance with the Red Flags Rule?
Enterprises that fail to comply with the Red Flags Rule by November 1, 2009 can be subject to regulatory enforcement actions and civil money penalties. In addition, identity theft makes headlines and can result in intense negative publicity and loss of business. And, although the Rule does not permit a private right of action, adherence to the Rule is likely to become the standard of care that is applied to determine whether an enterprise negligently permitted identity theft.
For more information about the Red Flags Rule or for guidance on creating and implementing an appropriate Identity Theft Prevention Program for your enterprise before the November 1, 2009 deadline, please contact the Ryan J. Udell (firstname.lastname@example.org) or your White and Williams counsel.
 Most “financial institutions” should already be Red Flags Rule compliant, since most financial institutions are, likely, already subject to existing fraud detection programs. Accordingly, this Alert does not focus on the Rule’s applicability to or requirements for compliance by financial institutions. If you are a financial institution and have questions or concerns about compliance, please contact the authors.