Legal Bulletins

A Federal Trade Commission (FTC) rule known as the "Red Flags Rule" (the Rule) requires financial institutions and "creditors" who offer or maintain "covered accounts" to have written programs in place that identify, detect and respond to red flags (indications) of possible identity theft. "Identity theft" is fraud committed or attempted using identifying information of another person without authority.
The FTC states that "federal law defines a creditor to be: any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit." More simply, the FTC says that "any person that provides a product or service for which the consumer pays after delivery is a 'creditor.'" Accepting payment by credit card does not itself make a business a "creditor," as the credit card payment results in a business receiving nearly contemporaneous payment.

When the Rule was originally adopted in 2007, it was initially thought that the Rule was intended to apply primarily to financial institutions and similar businesses. The federal government took a broader view, but postponed enforcement of the Rule until May 1, 2009. The federal government has not issued further clarification of the application of the Rule, as had been anticipated. Pending such clarification, to be prudent, other types of businesses that fit within the literal terms of the Rule should endeavor to comply with it.

Under the Rule, an "account" is a continuing relationship established by a person with a financial institution or creditor to obtain products or services.
To be subject to the Rule, an account must be a "covered account." There are two types of "covered accounts."

The first type of "covered account" is any consumer account (i. e., an account where the goods or services provided are for personal, family, or household use) that permits multiple payments or transactions for goods or services provided in the course of a continuing relationship. Examples given by the FTC are credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. Additionally, in a published letter, the FTC has advised the American Medical Association that physician practices are subject to the Rule because there is a continuing relationship between the patient and the physician for the purpose of obtaining medical services, and physicians do not require full payment at the time medical services are provided.
The second type of "covered account" includes any other type of account for which there is "a reasonably foreseeable risk" of identity theft. In determining whether accounts are covered under this category, it is necessary to consider how they are opened and accessed. For example, there may be a reasonably foreseeable risk of identity theft in connection with business accounts that can be accessed remotely such as through the Internet or by telephone.

Under the Rule, creditors who offer or maintain covered accounts must have a written program containing policies and procedures that address how the business will identify, detect, and respond to identity theft. The program should be tailored to the degree of risk of identity theft that the business is likely to face. Businesses need to conduct a risk assessment of their covered accounts, considering, given the nature of the business, how likely it is that those accounts would be subject to identity theft. For businesses whose customer accounts pose a relatively low risk of identity theft, the program may be concise - focusing, for example, on verifying customer identity and customer notification in the event of detected identity theft. For businesses whose customer accounts may pose a higher risk of identity theft, programs should be more comprehensive - addressing, for example, how covered accounts are opened and accessed, how information is safeguarded and transferred, and what previous experiences the business has had with identity theft.

The Rule requires oversight, implementation, and approval of the program by the board of directors or senior management of the business, staff training, annual review of the program, and oversight of third party service providers who perform activities in connection with covered accounts.
The FTC is authorized to impose civil penalties for violations of the Rule. Businesses also may be subject to civil liability for actual damages sustained by a customer who suffered harm as a result of a business's failure to comply with the Rule, along with punitive damages, costs, and attorneys' fees.
The FTC makes available on its website numerous resources regarding compliance with the Rule. See e.g., FIGHTING FRAUD WIH THE RED FLAGS RULE - A How-To Guide for Business, which is available at: http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus23.shtm.