Federal Trade Commission Pushes Back Launch of 'Red Flags Rule' Enforcement

Article excerpt

It's called the "Red Flags Rule," and it's coming to financial institutions, brokerage firms, credit card companies and mortgage firms near you as of Nov. 1.

In essence, the regulation requires affected businesses to take a proactive approach to identity theft, developing and maintaining a written program to detect, prevent and mitigate ID theft.

Businesses like auto dealers, utilities, telecommunications companies and others regulated by the Federal Trade Commission this week got a breather from the FTC, which pushed its enforcement launch date to May 1.

Fines for noncompliance range from $2,500 to $11,000 per violation.

In addition to the FTC, businesses regulated by the FDIC, Office of the Comptroller of the Currency, Federal Reserve Board, Office of Thrift Supervision, and National Credit Union Administration must comply with the regulation. None of the other five agencies have yet announced a postponement of enforcement.

Attorney Eric Johnson explained Thursday that, as the FTC interprets the regulation, a violation could potentially be assessed for each account affected, not just for each red flag program.

Johnson, a shareholder with the Phillips Murrah law firm, said Congress told federal regulators to come up with such a rule in 2003, as part of the Fair and Accurate Credit Transactions Act.

He said the law also requires companies to conduct a risk assessment of all the accounts they maintain or offer, to see if they are covered.

"They would look at, how do we give access to our accounts, how do we open our accounts, do we have any prior experiences of identity theft on this type of account," he said.

Johnson said covered accounts are mostly consumer-related, but could include business and commercial accounts "where there is a reasonably foreseeable risk to either the customer or the creditor from identity theft."

Johnson said that in developing a required program, businesses must detail "red flags" associated with their accounts, and how they would respond to them.

"Generally, a red flag is either an activity or maybe a pattern of practice that indicates either there has been identity theft or maybe the possible existence of identity theft, something that, just like it sounds, pops up and says, wait a minute, bells and whistles going off," he said. …