The FTC Begins Enforcement of the Identity Theft Red Flags Rule Imposing New Requirements on Many Businesses

April 27, 2009

On May 1, 2009, the U.S. Federal Trade Commission (FTC) begins enforcement of the Red Flags Rule, requiring many businesses to develop, implement, and administer an Identity Theft Prevention Program that is designed to detect the warnings signs (or “red flags”) of identity theft, as well as to prevent and mitigate it.

The rule is broad sweeping, affecting not just financial companies, but also many telecommunications, utility, auto, retail and healthcare companies — including physician practices. The necessary steps for compliance will vary on the size and nature of the business, as well as existing data protection policies, but failure to comply may result in civil monetary penalties.

Who is Covered?

Every “financial institution” and “creditor” that offers or maintains one or more “covered accounts” must comply with the Red Flags Rule.

The term “financial institution” is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other person that, directly or indirectly, holds a transaction account belonging to a consumer. Those types of entities generally fall under the jurisdiction of the federal bank regulatory agencies.

The term “creditor” is broader than its common usage. Aside from covering businesses that grant loans and extend credit, such as finance companies and retailers that offer financing for consumers, the term “creditor” covers businesses and organizations that provide goods or services and bill customers later, such as health care providers, utility companies, and telecommunications companies. The FTC regulates these businesses for compliance with the Red Flags Rule.

If any of these businesses offer or maintain one or more “covered accounts,” then they must comply with the Red Flags Rule. There are two types of covered accounts. The first kind is an account primarily for personal, family, household or business purposes that is designed to permit multiple payments over time, such as a bank account, credit card account, mortgage loan, automobile loan, cell phone account or utility account. The second kind of covered account is any other account for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the business from identity theft. Examples include small business and sole proprietorship accounts or certain single transaction consumer accounts.

What is Required of Businesses?

Businesses subject to the Red Flags Rule must develop and implement a written Identity Theft Prevention Program (the “Program”) that is designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities.

Every Program must include reasonable policies and procedures related to four elements: (1) the identification of red flags, (2) the detection of red flags, (3) the response to red flags that are detected, and (4) the periodic update of the Program. The FTC and the other federal bank regulatory agencies charged with enforcing the Red Flags Rule have issued guidelines to assist businesses in developing and implementing a Program.

How is the Red Flags Rule Related to the Safeguards Rule and to Anti-Money Laundering Requirements?

While the FTC’s Safeguards Rule (and other information security laws) and the anti-money laundering regulations largely require certain businesses to take actions in response to consumer transactions that have already occurred, the Red Flags Rule addresses consumer transactions at the front end and attempts to thwart identity theft at the time of the transaction.