Identify Theft Prevention Programs Required by FTC’s Red Flags Rule

- June 2010

NOTE:  On May 28, 2010, the FTC announced that the effective date for enforcement of these regulations has been postponed to December 31, 2010.

Federal Trade Commission enforcement of its new “Red Flags Rule” (16 CFR Part 681) is scheduled to go into effect on August 1, 2009. The Red Flags Rule require creditors and financial institutions to conduct a risk assessment to determine if they have “covered accounts,” which include consumer-type accounts or other accounts for which there is a reasonable risk of identity theft. If so, the creditor must develop and implement a written Identify Theft Prevention Program to identify, detect and respond to possible risks of identity theft relevant to them.

“Creditor” is broadly defined to include any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. “Credit” is defined as the right granted by a creditor to a debtor to defer payment of a debt, incur debt and defer its payment or purchase property or services and defer payment. It appears that any wholesaler-distributor or other business that sells goods or services and defers payment (e.g., a sale on open account) is a creditor.

“Account” is a continuing relationship established by a person with a creditor or financial institution to obtain a product or service for personal, family, household or business purposes.

A “covered account” is (i) any account that a creditor or financial institution offers or maintains, primarily for personal, family or household purposes, that involves or is designed to permit multiple payments or transactions; and (ii) any other account that the creditor or financial institution offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the creditor or financial institution from identity theft, including financial, operational, compliance, reputation or litigation risks.

Under the Red Flags Rule, creditors and financial institutions with covered accounts must develop a written program that identifies and detects the relevant warning signs—or “red flags”—of identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. The program must be managed by the board of directors or senior employees of the creditor or financial institution, include appropriate staff training and provide for oversight of any service providers.

Conclusion

Companies will need to consult with their professional advisors concerning the application of the FTC’s rule to their business and any action needed to comply. For additional information and resources from the FTC on the Red Flags Rule, visit www.ftc.gov/redflagsrule. A helpful “Frequently Asked Questions” document may be accessed at www.ftc.gov/os/2009/06/090611redflagsfaq.pdf