FTC TO START ENFORCING IDENTITY THEFT RED FLAG RULE ON MAY 1, 2009
In November 2007, the Federal Trade Commission, along with the federal bank regulatory agencies and the National Credit Union Administration, promulgated the Identity Theft Red Flag rule pursuant to the Fair and Accurate Credit Transactions Act of 2003, which amended the federal Fair Credit Reporting Act. The rule became effective January 1, 2008 and had a mandatory compliance date of November 1, 2008. Because of confusion and uncertainty with respect to the rule’s applicability to certain persons subject to the FTC’s jurisdiction, the FTC postponed enforcement of the rule until May 1, 2009. Is your business covered?
Whether a business must comply with the rule depends upon whether it is considered a “financial institution” or a “creditor” within the scope of the rule and has “covered accounts” as defined below. As expected, “financial institution” includes a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union or any other person that, directly or indirectly, holds a transaction account belonging to a consumer. However, “creditor” is broadly defined to include any person who regularly extends, renews or continues credit; any person who regularly arranges for the extension, renewal or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew or continue credit. Examples of businesses that are brought within the scope of the rule include finance companies, mortgage brokers, real estate agents, automobile dealers and retailers that offer financing or help consumers get financing from others. A third-party debt collector who regularly renegotiates the terms of a debt also may be covered.
What Accounts are Covered
“Covered accounts” include (i) consumer accounts that involve or are designed to permit multiple payments or transactions and (ii) any other account for which there is a reasonable foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft.
What’s in the Rule
The rule requires businesses subject to the rule to periodically determine whether they offer or maintain accounts that are subject to the rule. Those that do must develop, implement and administer written identity theft prevention programs. The programs must provide for (i) the identification of identity theft “red flags,” (ii) the detection of the identified red flags, (iii) appropriate action when red flags are detected and (iv) periodic reevaluation of the program to address new risks of identity theft.
Time is short. If you have any last minute questions on to the applicability of the rule to your organization or if you need assistance in reviewing your current identity theft program for compliance with the rule or developing and implementing a new program, please do not hesitate to contact us.
- Charles Gall