Attorneys
Practice Areas
Red Flags Rule - Client Alert
What is the “Red Flags Rule?”
The Red Flags Rule[i] was issued as part of the Fair and Accurate Credit Transactions Act of 2003 (“FACT”).[ii] Generally, the Red Flags Rule requires creditors to create and implement written identity theft prevention programs by June 1, 2010. These Identity Theft Prevention Programs must provide for the identification, detection, and response to patterns, practices, or specific activities, or "Red Flags," that could be a sign of identity theft.
Who is affected by the Red Flags Rule?
The Red Flags Rule is applicable not only to financial institutions, but also to any entity that meets the definition of a creditor and maintains covered accounts. Importantly, the determination of whether your business is covered by the Red Flags Rule is not based on industry or sector, but rather on whether your activities fall within the relevant definitions. Because the FACT broadly defines “creditor,” many groups, which would not normally consider themselves creditors, are covered under the Rule.
Consequently, an entity should first determine whether it is a creditor or financial institution under the Red Flags Rule. Second, the entity should determine whether it maintains “covered accounts.” Only if the entity meets both requirements does it need to implement Identity Theft Prevention Programs.
Creditors:
A "creditor" includes any entity that regularly[iii] extends, renews or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit.[iv] Simply put, a business or organization that regularly defers payments of goods or services or provides goods or services and bills customers later is covered under the Act. Examples include utility companies, health care providers, and telecommunication companies are among entities that may fall within the definition, depending on how and when they collect payment for their services. Further, a creditor also includes an entity that regularly grants loans, arranges for loans or the extension of credit, or makes credit decisions. For example, this may include finance companies, mortgage brokers, real estate agents, automobile dealers, retailers that offer financing or help consumers get financing from others, or third-party debt collectors that regularly renegotiate the terms of a debt.[v] Importantly, merely accepting credit cards does not, by itself, make an entity a creditor under the Red Flags Rule.
Financial Institutions:
The Red Flags Rule defines a financial institution as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other person that directly or indirectly holds a transaction account belonging to a consumer.[vi] A transaction account is a deposit or account from which the owner may make payments or transfers to third parties or others.[vii] Generally, transaction accounts include checking accounts, negotiable orders of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.[viii]
Covered Accounts:
The Red Flags Rule covers two types of accounts: (1) consumer accounts and (2) other covered accounts. First, consumer accounts are primarily offered to customers for personal, family, or household purposes that involve or are designed to permit multiple payments or transactions.[ix] Examples include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts.[x] Second, other covered accounts are “any other account that a financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.”[xi] Examples include “small business accounts, sole proprietorship accounts, or single transaction consumer accounts that may be vulnerable to identity theft.”[xii] Importantly, an “account” only includes “continuing relationships.”[xiii] Thus, single, non-continuing transactions by non-customers are not covered accounts.
Are There any Exemptions for Small Businesses?
No. Currently, there are no exemptions for small businesses. Legislation is pending in Congress that would grant only certain sized businesses an exemption Red Flags Rule.[xiv] This legislation, however, is only a proposed change and is not law. As such, small businesses currently still are subject to the Red Flags Rule.
My Company is Covered Under the Red Flags Rule – What am I Required to Do?
Companies and organizations subject to the Red Flags Rule are required to develop, implement, and administer an Identity Theft prevention Program. This Program, however, is only as effective as its implementation. Merely drafting a Program on paper will do little to reduce the risk of identify theft.
Accordingly, the Red Flags Rule requires that companies and organizations integrate their Program into the daily business operations. First, the drafted Program must be approved by the Board of Directors. If there is no Board of Directors, then the Program must be approved by senior-level management. Second, the Program must delegate implementation and administration responsibilities to appropriate management. Third, employees must receive training in the Program. Employees are a company’s first defense in preventing identity theft. Consequently, all employees who have the potential to spot red flags should be trained in the Program. Moreover, the Identity Theft Prevention Program should be included in any employee training books or employee handbooks. Employees should be instructed to direct any questions to the management employee who is responsible for the implementation and administration of the Program. Only through proper training of employees and integrated implementation of the Program will a company ensure compliance with the Red Flag.
What does an Identity Theft Prevention Program Need to Include?
Identity Theft Prevention Programs must include “reasonable policies and procedures” to:
1. Identify Red Flag activities for covered accounts;
2. Detect occurrences of Red Flag activities;
3. Establish a procedure to respond to detected activities;
4. Update the Program periodically to incorporate new risks.
All Identity Theft Prevention Programs should reflect an entity’s size and complexity. An entity with a higher risk of identity theft will need a more comprehensive Program than a low-risk entity. The Program should be annually reviewed to determine the effectiveness of the Program and to identify potential areas of improvement. The Red Flags Rule also requires that employees are trained as necessary to implement the program. Accordingly, any Identity Theft Prevention Program should be included in any employee training or employee handbook.
What is a Red Flag?
A red flag is a pattern, practice, or specific account activity that indicates the possibility of identity theft. The Federal Trade Commission identifies five general categories of red flags:
a) Alerts, notifications, or warnings from a consumer reporting agency;
b) Suspicious documents, such as evidence of forgery;
c) Suspicious personal identifying information, such as inconsistent address or invalid phone number;
d) Suspicious account activity, such as use of an account that has been inactive for a significant period of time; and
e) Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the financial institution or creditor.
What are the Penalties for Non-Compliance with the Red Flags Rule?
The FTC can seek both monetary civil penalties and injunctive relief for violations of the Red Flags Rule. The maximum civil penalty per violation is $3,500. A separate violation occurs for each instance in which the company has violated the Rule.
Where Can I Get Help Regarding the Red Flags Rule?
If you need help determining whether your business is subject to the Red Flags Rule, how to implement an Identity Theft Prevention Program, or if you have any other questions, please contact Todd J. Shill. You can also find helpful information and tools on the Federal Trade Commission’s Red Flags Rule website at http://www.ftc.gov and the resources listed below.
Todd J. Shill
Rhoads & Sinon LLP
One South Market Square
P. O. Box 1146
Harrisburg, PA 17108-1146
(717) 231-6665
tshill@Rhoads-Sinon.com
[i] The Red Flag and Address Discrepancy regulations were published in final form on November 9, 2007, 72 Fed. Reg. 63718 ( Nov. 9, 2007).
[ii] 15 U.S.C. § 1681 et seq.
[iii] The term "regularly" is not defined by the Red Flag Rules, but for purposes of the Federal Reserve Board’s regulations under the Truth in Lending Act, a person "‘regularly’ extends consumer credit only if it extended credit [other than credit transactions secured by the consumer’s principal dwelling] more than 25 times (or more than five times for transactions secured by a dwelling) in the preceding calendar year. If a person did not meet these numerical standards in the preceding calendar year, the numerical standards shall be applied to the current calendar year." The FTC provides little guidance on the issue and states that “[t]here’s no bright line definition for “regularly.” But if the activities that meet the definition of “creditor” are more than just an isolated occurrence for your business, the Red Flags Rule applies to you.” http://www.ftc.gov/bcp/edu/microsites/redflagsrule/faqs.shtm#A
[iv] 15 U.S.C. §1691(a).
[v] See “Fighting Fraud with the Red Flags Rule: A How-To Guide for Business,” Federal Trade Commission, at * 11, http://ftc.gov/redflagsrule (“How-To Guide”).
[vi] 15 U.S.C. §1681a (t).
[vii] 12 U.S.C. §461(b)(1)(C).
[viii] See How-To Guide at * 31 n. 5.
[ix] 16 C.F.R. §681.2(b)(3)(i)
[x] See How-To Guide at * 11.
[xi] 16 C.F.R. §681.2(b)(3)(ii)
[xii] See How-To Guide at * 11.
[xiii] 16 C.F.R. §681.2(b)(1)
[xiv] See H.R. 3763. Text available at http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=111_cong_bills&docid=f:h3763rfs.txt.pdf