To no one’s surprise, there has been a meteoric rise in the incidents of identity theft, which occurs when one fraudulently uses another’s name, Social Security number, date of birth, biometric data, unique electronic identification numbers, or other form of identification to masquerade as that person.  In response, Congress passed the Fair and Accurate Credit Transactions Act of 2003 (FACTA).  This law mandates that the Federal Trade Commission, federal bank regulatory agencies, and the National Credit Union Administration jointly develop rules and guidelines for “financial institutions” and “creditors” to detect, prevent and mitigate identity theft. One result is the FTC's “Red Flags Rule,” which currently is scheduled to go into effect on November 1, 2009. 

Who Is Covered?

The simple answer is financial institutions and creditors.

Though sounding narrow, the definitions of “financial institution” and particularly of “creditor” (and “credit”) are remarkably expansive and, moreover, will be interpreted broadly:

1.      “Financial institution” means a “State or National bank, a State or Federal savings and loan association, a mutual savings bank, a State or Federal credit union, or any other person that, directly or indirectly, holds a transaction account belonging to a consumer.”  A “transaction account” is a “deposit or account from which the owner may make payments or transfers to third parties or others.”

2.      “Creditor” means any person who regularly extends, renews or continues credit or any person who regularly arranges for the extension, renewal, or continuation of credit.  And “credit” means the right granted by a creditor to a debtor to defer payment or to incur debts and defer their payment or to purchase property or services and defer payment for them.

Given these definitions, the Rule extends to anyone who defers payment for goods, property, or services.  In various materials, the FTC has expressly mentioned that those covered may include, by example, hospitals, doctors, lawyers1, merchants, utility companies, telecommunications companies, lenders, such as banks, finance companies, mortgage brokers, real estate agents, automobile dealers, and retailers that offer financing or help consumers get financing from others.  Needless to say, if one extends any credit to another, the Red Flags Rule may apply.

What Is Covered?

There are two categories of covered accounts:

1.      Consumer accounts that are offered to customers primarily for personal, family, or household purposes and are “designated to permit multiple payments or transactions.”

2.      “Any other account that a financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.”

The first category is relatively straightforward and would always be deemed a covered account.  The second category is the problematic one, because it covers accounts where there is a “reasonably foreseeable risk” of identity theft.  The assessment of whether this risk exists in any particular situation is fact-specific and is never static, so not surprisingly guidance on what is included in this second category is currently sparse at best.

Under the Rule, each financial institution and creditor “must periodically determine whether it offers or maintains covered accounts.”

How Does The Red Flags Rule Apply?

The Red Flags Rule requires that covered businesses and organizations develop, implement, and administer a written program, including policies and procedures, for the detection, prevention, and mitigation of identity theft.  This Identity Theft Prevention Program must include four components:

A.     Identification of the “red flags” or suspicious patterns, practices, or activities that suggest or lead to identity theft;

B.      Procedures for the detection of specific instances of red flags;

C.     An action plan to address detected red flags; and

D.     Procedures for periodically re-evaluating the Program.

This may not to be a purely paper exercise.  According to the FTC, the Program must (a) be adopted at the board level of the organization, (b) identify what board member, board committee, or senior member of management is responsible for overseeing, developing, implementing and administering the program, (c) include staff training, and (d) include oversight of service provider arrangements.

The specifics of the Program are to be tailored to the entity’s size, complexity, and nature of its operations.  Also, it is clear that already existing data security measures may not be enough.  Rather, the FTC views the Red Flags Rule as picking up where data security measures leave off.

When Does The Red Flags Rule Become Effective?

 As of the date of this Alert,  November 1, 2009.  Are you ready?

###

If you have questions or would like to discuss your organization’s specific situation, please contact David Gryce by telephone at 202-775-5797 or by e-mail at gryce.david@arentfox.com

David Gryce is a partner in the Intellectual Property Group of Arent Fox LLP.

1 On August 27, 2009, the ABA filed a court action against the FTC’s application of the Red Flags Rule to the legal profession.