On July 29, 2009, the U.S. Federal Trade Commission (FTC) deferred enforcement of the Red Flags Rule from August 1, 2009 to November 1, 2009 in order “to give creditors and financial institutions more time to develop and implement written identity theft prevention programs.” As we discussed in our articles from 4/27/09 and 5/4/09, the Red Flags Rule will require many businesses to develop, implement, and administer an Identity Theft Prevention Program that is designed to detect the warnings signs (or “red flags”) of identity theft, as well as to prevent and mitigate it.
As noted earlier, the rule is very broad, and is not limited to any specific business sector – quite the contrary, it is directed to not just financial companies, but also many other types of businesses such as telecommunications, utility, auto, retail and healthcare companies – including hospitals and physician practices. The steps for compliance will vary on the size and nature of the business, as well as existing data protection policies, but failure to comply may result in civil monetary penalties.
The Rule is Being Deferred Only – Not Revised
It is important to note that the Rule is not being revised or amended in any way. Therefore, the scope of businesses coming within its ambit will be the same on November 1 as would have been affected had the August 1 deadline been implemented. The only action point here is that businesses have been granted three extra months in which to examine the Rule’s application to their specific situations, and to develop a set of policies that will comply with the Rule while addressing their specific risk parameters for identity theft.
However, addressing the widespread backlash from those businesses deeming themselves as “low risk” with respect to the occurrence of the identity theft the Rule is meant to combat (and uncertain about the extent of their obligations under the Rule), the FTC noted yesterday that “to assist small businesses and other entities, the Federal Trade Commission staff will redouble its efforts to educate them about compliance with the “Red Flags” Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply.”
As part of this effort, the FTC will be providing additional compliance guidelines on its website at www.ftc.gov. These guidelines will include a special link for small and low-risk entities providing materials such as additional templates and FAQs. For example, the FTC has already stated on its website that Commission staff would be unlikely to recommend bringing a law enforcement action if entities know their customers or clients individually, or if they perform services in or around their customers’ homes, or if they operate in sectors where identity theft is rare and they have not themselves been the target of identity theft. Once that additional information is made available, we will distribute another announcement.
What to Do Now?
As noted earlier, for those businesses that are “financial institutions” and “creditors” that offer or maintain one or more “covered accounts,” and must therefore comply with the Red Flags Rule by November 1, they must undertake efforts immediately to properly assess the Rule’s applicability, prepare policies as appropriate to reflect identity theft risks per the Rule, and train their employees on the implementation of those Policies – thus avoiding last-minute assessments and potential difficulties arising from such circumstances.
Specifically, businesses subject to the Red Flags Rule must develop and implement a written Identity Theft Prevention Program (the “Program”) that is designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities.
Every Program must include reasonable policies and procedures related to four elements: (1) the identification of red flags, (2) the detection of red flags, (3) the response to red flags that are detected, and (4) the periodic update of the Program. The FTC and the other federal bank regulatory agencies charged with enforcing the Red Flags Rule have issued guidelines to assist businesses in developing and implementing a Program.
We will be pleased to answer any questions you might have as to the application, implementation or assessment of the Red Flags Rule with respect to your business.