By Ronald S. Nixon
The Federal Trade Commission announced in a July 29 press release that it is delaying enforcement of the “Red Flags Rule” until November 1, 2009. Huh? What’s the Red Flags Rule? Since many businesses that may be affected by the regulation were asking the same question, the FTC delayed enforcement for the third time.
A fraud prevention regulation, the Red Flags Rule requires “creditors” and “financial institutions” with “covered accounts” to create and follow written procedures to identify, detect, and respond to warning signs (in other words, “red flags”) of identity theft in their businesses. The Rule was mandated by the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”), and it impacts a large number of businesses due to FACTA’s broad definition of “creditor,” which includes all entities that regularly extend or renew credit (or arranges for others to do so) and all entities that regularly permit deferred payment of goods and services.
Even if a business is a “creditor” or a “financial institution,” the Rule only applies if the business also has “covered accounts,” which are divided into two types. The first type of account is one offered to customers for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions, such as credit card accounts, mortgage loans, auto loans, cell phone accounts, savings accounts, and the like. The second type is “any other account that a financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.” Here, even a single transaction account is a “covered account” if there is a “reasonably foreseeable risk” of identity theft. For example, a risk might be foreseeable where a consumer can access the account remotely, such as by telephone or the Internet.
If a financial institution or creditor has “covered accounts,” it must develop and implement a written Identity Theft Prevention Program to prevent, detect, and mitigate identity theft in the opening and operation of those accounts. A written program has four elements: 1) identify threats of identity theft applicable to the accounts, 2) detect those threats in the business’ day-to-day operations, 3) respond to them as they occur to prevent or reduce harm, and 4) update the procedures periodically to adapt to changing risks. No specific requirements for a written program are mandated by the Rule. The procedures developed should be appropriate to the size and complexity of a business and the nature and scope of its activities. The FTC notes that it will assess compliance based on the reasonableness of the policies and procedures adopted.
The Rule’s flexibility is also part of the confusion, and the FTC realized that many businesses to which the Rule applies need further guidance. In conjunction with providing more time for compliance, the FTC plans to post new materials in addition to the abundance of information already on its Web site at (www.ftc.gov/redflagsrule).
The FTC’s press release also notes that the delayed enforcement only applies to businesses under its jurisdiction and not creditors or financial institutions who must also comply with FACTA but are under the jurisdiction of other federal regulatory agencies (such as banks, federally chartered credit unions, and savings and loans).
For further information regarding these matters, please contact Mr. Nixon at 248.619.2585 or
click here to send an email.
|
