Clearing the Haze: Addressing Some Lingering Concerns about the FTC's Red Flags Rules

Article excerpt

The woes of identity theft for both businesses and individuals have been compounded to near numbing levels. Billions upon billions of dollars each year are bled out of the nation's economy through a variety of crimes and schemes, and it's now to the point that everyone likely knows at least one person who has had their identity pilfered. In the war against this type of fraud, both federal and state governments have launched a number of offensives, including establishing cyber-crime law enforcement divisions and passing data security laws, in an attempt to curb damage and weave a tighter security net to protect consumers. One of the latest and most widely discussed has been a multi-agency effort to fill in the gaps in corporate efforts left by some of those data security provisions.

On January 1, 2008, the Federal Trade Commission's (FTC) "Red Flags Rules" went into effect as part of amendments to the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) and ultimately the Fair Credit Reporting Act (FCRA). The regulation requires "creditors" and financial institutions to adopt a written program to detect, prevent and mitigate identity theft in connection with the opening of a "covered account" or any existing "covered account." Building from a basic list of 26 "red flags"--which are defined as a pattern, practice or specific activity that could indicate identity theft--the objective of the regulation is to ensure that businesses and organizations are on the lookout for the signs that an individual is attempting to fraudulently use another person's identity to obtain goods or services.

As most credit managers are likely well aware, after a six-month delay, the mandatory deadline for compliance with the Red Flags Rules was May 1, 2009. What does this mean? Those companies that are affected by the rule should now have a written program in place that has been approved by the company's senior management or board of directors. For those that determined they are not subject to the regulation, they must remember that part of the rule is that businesses need to conduct ongoing risk assessments to determine if there is any "reasonably foreseeable risk" to their accounts that would trigger future mandatory compliance with the regulation.

For the last several months, the FTC and NACM have worked together to educate members about their responsibilities and to discuss the initiatives they should take to ensure those affected are in compliance, as well as to outline what the agency's expectations are for business creditors.

"Many people confuse data security with the Red Flags Rules, said Manas Mohapatra, attorney, FTC, Division of Privacy and Identity Protection, Bureau of Consumer Protection. These are two distinct but related concepts. Data security is aimed at protecting the personal information that you have about your customers. The Red Flags Rules picks up where data security leaves off."

He added, "Despite the best of efforts, thieves do steal people's information. The Red Flags Rules are aimed at stopping and identifying identity thieves from using someone else's personal information at your organization to commit fraud or illegally obtain goods and services."

Doing the Two-step

Even though the date for compliance has already passed, many questions continue to loom over the Red Flags Rules and their impact on business creditors, including to what companies the rules apply. The first part of the regulations is that businesses need to determine if they are considered a "creditor" under the rule and whether they offer "covered accounts." Organizations must meet both criteria to be subject to the rules.

The FTC uses the definition for "creditor" that is outlined in the FCRA and the Equal Credit Opportunity Act (ECOA). In those pieces of legislation, any person who regularly extends, renews or continues credit; any person who regularly arranges for the extension, renewal or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew or continue credit is considered a "creditor. …