500 First Street, Suite 8000 P.O. Box 8050 Wausau, WI 54402-8050
402 Graham Avenue P.O. Box 187 Eau Claire, WI 54702-0187
www.ruderware.com Derek L. Prestin
[email protected]
Red Flags Rule In November 2007, the Federal Trade Commission (“FTC”) adopted a new rule which requires certain businesses and organizations to implement safeguards to protect their consumers against identity theft. The rule is found at 16 C.F.R. § 681 and is known as the “Red Flags Rule” (the “Rule”). The Rule is part of the regulations which have been adopted under the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”) and will be enforced beginning August 1, 2009. The Rule will be enforced by the Federal Trade Commission, the federal bank regulatory agencies, and the National Credit Union Administration. Under the Rule, certain businesses and organizations are required to spot and act on certain activities or “red flags” that are often indicators of identity theft. To comply with the Rule, these businesses and organizations will need to develop and adopt a written “red flags program” to identify and detect “red flags,” and ensure that the program is kept up-to-date in order to minimize damage from identity theft. Financial Institutions and Creditors The Rule only applies to “financial institutions” and “creditors” having “covered accounts.” Under the Rule, a “financial institution” is a bank, savings and loan, credit union, or other entity that holds a “transaction account” belonging to a consumer. A “transaction account” is an account that allows the owner to make payments or transfers, such as checking and savings accounts. A “creditor” is a business or organization that regularly: (1) extends, renews, or continues credit; (2) arranges for someone else to extend, renew, or continue credit; or (3) is the assignee of a creditor who is involved in the decision to extend, renew, or continue credit. Under the Rule, “credit” means an arrangement by which a business defers payment of debts or accepts deferred payments for the purchase of property or services. As interpreted by the FTC, the term
{E0178597.DOC\5}
-1-
“creditors” is broadly defined and encompasses all businesses and organizations that defer payment of a customer’s bill. Therefore, the term “creditor” includes, for example: 1.
All banks, savings associations, and credit unions.
2.
A broker, dealer, investment advisor, or investment or insurance company that is a “financial institution” or “creditor” under the Fair Credit Reporting Act.
3.
A utility that regularly bills customers after services are provided.
4.
Any business that bills consumers after providing services, including lawn care companies, housecleaning businesses, and other businesses that offer other similar services.
5.
Doctors’ offices, hospitals, and other health care providers that regularly bill patients after the completion of services, including the remainder of medical fees not reimbursed by insurance, who allow patients to set up payment plans after services have been rendered, or who distribute and process applications for credit accounts tailored to the health care industry.
6.
Telecommunications companies that regularly bill customers after telecommunications services are provided.
7.
Franchisors that make loans to prospective franchisees or arrange third-party lenders for a prospective franchisee, or franchisors that bill franchisees after providing services to their franchisee.
Covered Accounts Under the Rule, there are two general types of “covered accounts.” The first type of “covered account” is an account used mostly for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions and establishes a continuing relationship with the financial institution or creditor, such as a credit card account, mortgage loan, car loan, consumer lease, margin account, cell phone account, utility account, certificate of deposit, retirement or IRA account, trust account, or checking or savings account. The second type of “covered account” is an account for which there is a foreseeable risk of identity theft, such as a small business or sole proprietorship account, or where the safety and soundness of the financial institution or creditor, including financial, operations, compliance, reputation, or litigation risks, indicate that there is a foreseeable risk of identity theft. If a business or organization is a “financial institution” or “creditor,” but does not have any “covered accounts,” the business or organization does not need a red flags program. However, if a business or organization is a “financial institution” or “creditor” and has “covered accounts,” the business or organization must develop and implement a written program to identify and address the red flags that could indicate identity theft.
{E0178597.DOC\5}
-2-
Four Steps In Designing a Red Flags Program There are four basic steps in designing a red flags program that is compliant with the Rule: 1.
Identify relevant red flags for the covered accounts that the financial institution or creditor offers or maintains, and incorporate those red flags into the program;
2.
Detect red flags that have been incorporated into the program;
3.
Respond appropriately to any red flags detected to prevent and mitigate identify theft; and
4.
Ensure the program, including the red flags determined to be relevant, is updated periodically to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor against identity theft.
Relevant Factors In Identifying Red Flags A financial institution or creditor should consider the following factors in identifying relevant red flags for covered accounts: 1.
The types of covered accounts the financial institution or creditor offers or maintains;
2.
The methods the financial institution or creditor provides to open its covered accounts;
3.
The methods the financial institution or creditor provides to access its covered accounts; and
4.
The previous experiences of the financial institution or creditor with identity theft.
A financial institution or creditor should incorporate relevant red flags from sources such as: 1.
Incidents of identity theft that the financial institution or creditor has experienced;
2.
Methods of identity theft that the financial institution or creditor has identified that reflect changes in identity theft risks; and
3.
Applicable supervisory and regulatory guidance.Warning Signs
The general categories of warning signs, or “red flags,” of identity theft that a red flags program should identify and address include: 1.
{E0178597.DOC\5}
Alerts, notifications, or warnings from a consumer reporting agency or a service provider, such as a fraud detection service;
-3-
2.
Presentation of suspicious documents;
3.
Suspicious personal identifying information, such as a suspicious address change request;
4.
The unusual use of, or suspicious activity relating to, a covered account; or
5.
Notices from customers, victims of identity theft, law enforcement authorities, or other entities about possible identity theft in connection with a covered account.
Policies and Procedures Once the general categories of relevant red flags have been identified, a financial institution or creditor must establish policies and procedures that are intended to watch for and detect, and will be effective in detecting, the red flags during the day-to-day operations of the organization. The specific policies and procedures should be tailored to the amount of risk of identity theft. The FTC has acknowledged that there is no bright-line rule that a financial institution or creditor may use to determine whether there is a high or a low risk of identity theft, but factors such as how easily an account is opened or accessed and the prior experience of the business or organization with identity theft should be considered. In general, the policies or procedures should address the detection of red flags by obtaining identifying information about, and verifying the identity of, a person opening a covered account (for example, using the policies and procedures regarding identification and verification set forth in the Customer Identification Program rules set forth in 31 C.F.R. 103.121) and authenticating customers, monitoring transactions, and verifying the validity of change or address requests, in the case of existing accounts. Responses When Red Flags Are Detected The red flags program must also include appropriate responses to the red flags that are detected by the red flags program in an effort to prevent and mitigate identity theft. These responses may include monitoring an account when suspicious activity has been detected for evidence of identity theft, changing passwords or other security devices controlling account access, closing an account, reopening an account with a new account number, refusing to open a new account, contacting the consumer when a red flag is detected, alerting law enforcement, or a combination of several of these responses. Need to Update a Red Flags Program Finally, because identity theft threats evolve and change on an ongoing basis, the red flags program must describe how a business or organization will update the program to account for new risks and trends and new innovations in the detection of identity theft.
{E0178597.DOC\5}
-4-
Need for Board of Director Approval The red flags program must also indicate how it will be administered by the business or organization, including how the business or organization will obtain the approval of management, how the program will be maintained, and how the program will be kept up-to-date, as well as a statement of the general nature of the business’ or organization’s operations. According to the Rule, the red flags program must be approved by the Board of Directors of the business or organization or, if the business or organization does not have a Board of Directors, by a senior employee having the responsibility for the adoption of such programs. The Board of Directors or senior employee must also thereafter approve any material change to the red flags program. The red flags program should also include staff training as appropriate and provide the business or organization with a way to monitor the work of their service providers. Penalties for Noncompliance While there are no criminal penalties for failing to comply with the Rule, financial institutions or creditors that violate the Rule may be subject to civil monetary penalties from the agency responsible for their oversight and regulation. The FTC may impose monetary penalties of up to $3,500 per knowing violation of the Red Flags Rule, and the monetary penalties may be assessed against any entity that is required to follow the Rule, even if the entity is not a financial institution. Although the FTC does not appear to have commented on how it would calculate such penalties, it is possible that the FTC could impose a penalty of $3,500 for each covered account that a noncompliant entity maintained. Additionally, the FTC may assess a penalty of up to $16,000 per violation for disobeying an FTC order to comply with the Rule. Thus, even small businesses face the potential of large monetary penalties for noncompliance with the Red Flags Rule. Development of a Red Flags Program In order to develop a red flags program, the following steps should be considered: 1.
2.
Identify relevant red flags for covered accounts and incorporate those red flags into the program. The following factors should be considered: a.
The types of covered accounts offered or maintained;
b.
The methods of opening covered accounts;
c.
The methods provided to access covered accounts; and
d.
Prior experiences with identity theft.
Develop a system to detect the red flags that have been incorporated into the program. These warning systems may include: a.
{E0178597.DOC\5}
Alerts, notifications, or warnings from a consumer reporting agency or a service provider, such as a fraud detection service;
-5-
3.
4.
b.
Presentation of suspicious documents;
c.
Suspicious personal identifying information, such as a suspicious address change request;
d.
The unusual use of, or suspicious activity relating to, a covered account; or
e.
Notices from customers, victims of identity theft, law enforcement authorities, or other entities about possible identity theft in connection with a covered account.
Develop responses that appropriately respond to any red flags detected. These responses may include: a.
Monitoring an account when suspicious activity has been detected for evidence of identity theft;
b.
Changing passwords or other security devices controlling account access;
c.
Closing an account;
d.
Reopening an account with a new account number;
e.
Refusing to open a new account;
f.
Contacting the consumer when a red flag is detected; and
g.
Alerting law enforcement.
Put a system into place that ensures that the program, including the red flags determined to be relevant, is updated periodically.
Since a red flags program should be tailored to the specific experience and needs of a particular financial institution or creditor, individual red flags programs will likely vary from one financial institution or creditor to another.
©2009 Ruder Ware, L.L.S.C. Accurate reproduction with acknowledgment granted. All rights reserved. This document provides information of a general nature regarding legislative or other legal developments. None of the information contained herein is intended as legal advice or opinion relative to specific matters, facts, situations, or issues, and additional facts and information or future developments may affect the subjects addressed.
{E0178597.DOC\5}
-6-
