The One Sentence Summary: On November 1, 2009, the Federal Trade Commission is expected to begin enforcing its “Red Flags” Rule, which requires many retailers, among other businesses, to develop a written program designed to prevent identity thieves from using information they have illegally obtained.
The Red Flags Rule, 16 C.F.R. § 681.2, requires many businesses and organizations to create and implement a written program to identify and detect the warning signs of identity theft.
FTC staff believe that over 11 million entities are subject to the Rule, which affects organizations, large and small, that regularly extend credit to businesses and individuals. In addition to financial institutions, affected business entities also include “creditors,” a term which is defined broadly enough to include many retail businesses. In an Enforcement Policy Statement, the FTC indicated that “any person that provides a product or service for which the consumer pays after delivery is a creditor.” In addition, a retail business is a “creditor” if it issues credit cards, grants loans, arranges for loans or credit, or makes credit decisions. However, simply accepting credit cards for payment (as opposed to issuing credit cards) does not in itself make a retailer a “creditor.”
A retail business that meets the definition of a “creditor” must periodically determine whether it offers or maintain “covered accounts.” There are two types of “covered accounts.” The first is an account that is used primarily for personal, family or household purposes involving multiple payments or multiple transactions. The second is an account for which there is a foreseeable risk of identity theft, such as an account for a small business or sole proprietorship.
A retail creditor that offers or maintains covered accounts must establish a written program designed to detect and prevent identity theft and mitigate the effects of identity theft. Written programs will vary, depending upon the nature of the business and the types of transactions and accounts it maintains. FTC staff say that they will soon issue a model Red Flags Rule policy for small businesses.
Even a business at low risk of encountering identity theft needs to comply with the Red Flags Rule. For a low-risk business, the program can be relatively simple, focusing on how to respond to notifications or information suggesting that a customer’s identity is being misused. In general, the more certain a business is that its customers are who they say they are, the lower the risk of encountering identity theft.
A written program must include four elements.
- Policies and procedures to identify the warnings (or “red flags”) of identity theft that may arise in the daily operations of a business. Examples of red flags might include notifications from credit reporting companies, documents that appear altered, documents with information that is inconsistent with other information, an address or telephone number that has been used by many other people, an account that is used in a way that is different from the established pattern, information about unauthorized charges, and notices from law enforcement or a victim of identity theft.
- Policies and procedures to detect the warnings that have been identified. Examples of policies to detect red flags might include verifying customer identification when accounts are established, authenticating customers who access existing accounts, monitoring transactions, and verifying change-of-address requests. It may be appropriate to incorporate some of an organization’s existing practices, such as fraud detection practices, into the written plan.
- Policies and procedures to respond to the warnings that have been detected. Examples of appropriate responses to red flags might include monitoring an account, contacting the customer, changing passwords or security codes, and notifying law enforcement. Covered entities may also determine that no response is necessary if, under the circumstances, there is a reasonable basis to conclude that a particular red flag does not evidence a risk of identity theft.
- Policies and procedures to keep the program up to date, by evaluating it periodically and modifying it to reflect changing circumstances, such as changes to the business, changes in technology, and changing tactics used by identity thieves.
Organizations must administer their written programs. The initial written program must be approved by the board of directors or a committee of the board. In an organization that does not have a board of directors, a senior management employee must be designated to approve the program. The board, or a board committee, or a senior management employee, must be involved in administration of the program. Staff must be trained to implement the program. And there must be oversight of service providers who open or manage accounts or bill customers or collect debts.
In addition to the written program requirements set forth under 16 C.F.R. § 621.2, the FTC issued special rules that are likely to apply to many retailers, and that became effective November 1, 2008. First, under 16 C.F.R. § 621.3, issuers of credit cards must develop policies and procedures to assess the validity of a request for a change of address that is followed closely (i.e. within approximately 30 days) by a request for an additional or replacement card. The FTC does not interpret the rules to apply to gift cards or similar prepaid card products. In addition, under 16 C.F.R. § 621.1, users of consumer reports must develop reasonable policies and procedures to apply when they receive a notice of address discrepancy from a consumer reporting agency.
FTC enforcement actions can lead to civil penalties for non-compliance of $3500 per violation. FTC staff says that the FTC is willing to resolve compliance issues informally if businesses make good-faith efforts to comply. States are authorized to enforce the Red Flags Rule, too: they may seek injunctive relief, $1000 for each willful or negligent violation, and attorneys’ fees and costs. Under some circumstances, private plaintiffs may be able to sue for violations of the Red Flags Rule.
The FTC has delayed enforcement of the new identity-theft rules three times, this time explaining that it will provide additional resources and guidance to clarify which businesses are covered by the rule and what must be done to comply. The current November 1, 2009 deadline is intended to give financial institutions and creditors more time to review the FTC’s guidance and implement a written program.
For more information, see the resources available on the FTC’s web site here