November 2, 2009
Last Friday, Oct. 30, 2009, the U.S. Federal Trade Commission (FTC) deferred enforcement of the Red Flags Rule once again, from Nov. 1, 2009 to June 1, 2010, “at the request of Members of Congress.” However, the FTC also acknowledged that earlier that day, the U.S. District Court for the District of Columbia had enjoined the FTC from applying the Red Flags Rule to attorneys. Importantly, the FTC’s deferral does not affect the separate timeline of that legal proceeding and any possible appeals. Nor does this deferral affect other federal agencies’ ongoing enforcement for financial institutions and creditors subject to their oversight.
Equally important, and the likely reason for the Congressional requests, is the Oct. 21 passage of H.R. 3763 by the U.S. House of Representatives (by a 400 – 0 vote). H.R. 3763 provides for automatic exemptions from Red Flags Rule application for those healthcare, legal and accounting practices employing less than 20 employees. It also mandates FTC implementation of regulations providing for case-by-case exemptions. That measure now sits in committee in the U.S. Senate.
As we discussed in earlier articles, the Red Flags Rule will require many businesses to develop, implement, and administer an Identity Theft Prevention Program that is designed to detect the warning signs (or “red flags”) of identity theft, as well as to prevent and mitigate them. As noted earlier, the Rule is very broad, and is not limited to any specific business sector – quite the contrary, it is directed to not just financial companies, but also many other types of businesses such as telecommunication, utility, auto, retail and healthcare companies – including hospitals and physician practices. The steps for compliance will vary on the size and nature of the business, as well as existing data protection policies, but failure to comply may result in civil monetary penalties.
The Rule is Being Deferred Only – Not Revised
It is important to note that, as before, the Rule is not being revised or amended in any way. Therefore, keeping the above lawsuit in mind, the scope of businesses coming within its ambit will be the same on June 1 as would have been affected had the Nov. 1 deadline been implemented. The only action point here is that businesses have been granted seven extra months in which to examine the Rule’s application to their specific situations, and to develop a set of policies that will comply with the Rule while addressing their specific risk parameters for identity theft – and to monitor how the pending lawsuit may affect the Rule’s ultimate application to other business sectors.
However, addressing the widespread backlash from those businesses deeming themselves as “low risk” with respect to the occurrence of the identity theft that the Rule is meant to combat (and uncertain about the extent of their obligations under the Rule), the FTC continues to maintain resources “to assist small businesses and other entities . . . to educate them about compliance with the ‘Red Flags’ Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply.”
These resources are found on the FTC’s website at www.ftc.gov. These resources include a special link for small and low-risk entities providing materials such as additional templates and FAQs. For example, the FTC continues to provide on its website that Commission staff would be unlikely to recommend bringing a law enforcement action if entities know their customers or clients individually, or if they perform services in or around their customers’ homes, or if they operate in sectors where identity theft is rare and they have not themselves been the target of identity theft.
What to Do Now?
As noted earlier, for those businesses that are “financial institutions” and “creditors” that offer or maintain one or more “covered accounts,” and must therefore comply with the Red Flags Rule by June 1, 2010, they must undertake efforts in the near term to properly assess the Rule’s applicability, prepare policies as appropriate to reflect identity theft risks per the Rule, and train their employees on the implementation of those policies – thus avoiding last-minute assessments and potential difficulties arising from such circumstances.
Specifically, businesses subject to the Red Flags Rule must develop and implement a written Identity Theft Prevention Program (Program) that is designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities.
Every Program must include reasonable policies and procedures related to four elements: (1) the identification of red flags, (2) the detection of red flags, (3) the response to red flags that are detected, and (4) the periodic update of the Program. The FTC and the other federal bank regulatory agencies charged with enforcing the Red Flags Rule have issued guidelines to assist businesses in developing and implementing a Program.
We will be pleased to answer any questions you might have as to the application, implementation or assessment of the Red Flags Rule with respect to your business.
We will also continue to monitor developments as to the pending litigation as well as H.R. 3763, and will notify you promptly when they occur.