Ask the Legal Professional: As a business that extends credit to its customers, do I need to be concerned about the new federal “Red Flag” Identity Theft Rules?

February 15, 2008

As a business that extends credit to its customers, do I need to be concerned about the new federal “Red Flag” Identity Theft Rules?

Yes. New federal rules require all creditors – financial institutions, retailers, utilities, car dealers, and other organizations that extend consumer credit or hold consumer accounts – to develop and implement a proactive Identity Theft Prevention Program. An identity theft prevention policy and program must be adopted and operating no later than November 1, 2008.

Federal regulators were required by the FACT Act of 2003 to issue regulations that implement Section 114 of the Act. This section amended the Fair Credit Reporting Act to require financial institutions and other creditors which maintain consumer accounts to adopt and maintain a written Identity Theft Prevention Program. This Program’s purpose is to detect, prevent, and mitigate identity theft in connection with the opening of accounts maintained for personal, family or household purposes, so long as the accounts permit multiple payments or transactions. Examples include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts or savings accounts.

The applicability of the new regulations are not limited to consumer accounts. They also apply to any other account that is offered or maintained by a creditor where there is a reasonably foreseeable risk of identity theft, such as business accounts held by sole proprietors that can be opened or accessed remotely.

The new regulations provide financial institutions and creditors with flexibility in developing their programs according to their relative organizational size and complexity. However, the Program must include reasonable policies and procedures that:

 identify relevant Red Flags, and then incorporate those Red Flags into the Program;
 detect such Red Flags;
 respond appropriately to any Red Flags to prevent and mitigate identity theft; and
 ensure that the Program is updated periodically to reflect changes in risks to customers

What are these “Red Flags”? The regulations define them as a “pattern, practice, or specific activity that indicates the possible existence of identity theft.” However, the concept is fleshed out considerably in the supplementary materials to the regulations. The federal regulatory agencies have adopted Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation. These Guidelines provide policies and procedures that can be used, where appropriate, to satisfy the regulatory requirements of the rules.

Once the Program has been established, each financial institution and creditor must administer the Program. This involves having the board of directors or an appropriate committee of the board approve the initial written Program, and that the board, an appropriate board committee, or a designated member of senior management be responsible for the oversight, development, implementation and administration of the Program. Additionally, training of relevant staff and effective oversight of third party service providers with respect to the Program is also required.
Financial institutions covered by the Red Flag Identity Theft Rules are subject to oversight by the appropriate federal banking regulators, and for those creditors that are not federally regulated financial institutions, the Federal Trade Commission provides oversight. Besides regulatory enforcement actions, violations of the FACT Act can subject the financial institution or creditor to civil actions for damages. The type and amount of damages available will depend on whether the violations are determined to be “negligent” or “willful.”