April 27, 2009
On May 1, 2009, the U.S. Federal Trade Commission (FTC) begins enforcement of
the Red Flags Rule, requiring many businesses to develop, implement, and
administer an Identity Theft Prevention Program that is designed to detect the
warnings signs (or “red flags”) of identity theft, as well as to prevent and
The rule is broad sweeping, affecting not just financial companies, but also
many telecommunications, utility, auto, retail and healthcare companies -- including
physician practices. The necessary steps for compliance will vary on the size
and nature of the business, as well as existing data protection policies, but
failure to comply may result in civil monetary penalties.
Who is Covered?
Every “financial institution” and “creditor” that offers or maintains one or
more “covered accounts” must comply with the Red Flags Rule.
The term “financial institution” is defined as a state or national bank, a
state or federal savings and loan association, a mutual savings bank, a state or
federal credit union, or any other person that, directly or indirectly, holds a
transaction account belonging to a consumer. Those types of entities generally
fall under the jurisdiction of the federal bank regulatory agencies.
The term “creditor” is broader than its common usage. Aside from covering
businesses that grant loans and extend credit, such as finance companies and
retailers that offer financing for consumers, the term “creditor” covers
businesses and organizations that provide goods or services and bill customers
later, such as health care providers, utility companies, and telecommunications
companies. The FTC regulates these businesses for compliance with the Red Flags
If any of these businesses offer or maintain one or more “covered accounts,”
then they must comply with the Red Flags Rule. There are two types of covered
accounts. The first kind is an account primarily for personal, family, household
or business purposes that is designed to permit multiple payments over time,
such as a bank account, credit card account, mortgage loan, automobile loan,
cell phone account or utility account. The second kind of covered account is any
other account for which there is a reasonably foreseeable risk to customers or
to the safety and soundness of the business from identity theft. Examples
include small business and sole proprietorship accounts or certain single
transaction consumer accounts.
What is Required of Businesses?
Businesses subject to the Red Flags Rule must develop and implement a written
Identity Theft Prevention Program (the “Program”) that is designed to detect,
prevent and mitigate identity theft in connection with the opening of a covered
account or any existing covered account. The Program must be appropriate to the
size and complexity of the financial institution or creditor and the nature and
scope of its activities.
Every Program must include reasonable policies and procedures related to four
elements: (1) the identification of red flags, (2) the detection of red flags,
(3) the response to red flags that are detected, and (4) the periodic update of
the Program. The FTC and the other federal bank regulatory agencies charged with
enforcing the Red Flags Rule have issued guidelines to assist businesses in
developing and implementing a Program.
How is the Red Flags Rule Related to the Safeguards Rule and to Anti-Money
While the FTC’s Safeguards Rule (and other information security laws) and the
anti-money laundering regulations largely require certain businesses to take
actions in response to consumer transactions that have already occurred, the Red
Flags Rule addresses consumer transactions at the front end and attempts to
thwart identity theft at the time of the transaction.