The deadline for the "Red Flags Rule" is now August 1, 2009.
On August 1, 2009, the Federal Trade Commission (FTC) will begin enforcing the "Red Flags Rule" of the Fair and Accurate Credit Transactions Act of 2003, 15 U.S.C. § 1681 (FACTA). In accordance with the Red Flags Rule, financial institutions and creditors with covered accounts must institute a written identity theft prevention program intended to identify, detect, and respond to patterns or specific activities that could indicate identity theft. The types of patterns and activities that the FTC calls "red flags" include:
- Warning notices from credit reporting agencies
- Suspicious data submitted by a customer, such as altered or apparently forged documents, or any information that seems suspect
- Suspicious personal identifying information, such as inconsistencies in addresses, phone numbers or Social Security numbers
- Material omissions from a credit application
- Suspicious account activity such as address changes, new accounts used to make large purchases, mail returned as undeliverable
Entities that do not comply with the rule may be subject to substantial financial penalties.
Does the Rule Apply to You or Your Company?
The FTC estimates that more than 11 million U.S. businesses will be affected by and subject to the Red Flags Rule. Any creditor organization or financial institution that provides customers with covered accounts permitting them to make payments or enter into financial transactions should review whether it is subject to the Red Flags Rule.
What is a "Creditor Organization?"
Federal law defines a creditor as:
1. An entity that regularly extends, renews or continues credit, or
2. An entity that regularly arranges for the extension, renewal, or continuation of credit, or
3. An assignee of an original creditor who is involved in the decision to extend, renew, or continue credit.
Finance companies, automobile dealers, mortgage brokers, and utility and telecommunications companies are all "creditor organizations" subject to the law. Regulations may also apply to leasing companies, hospitals, health care providers and insurance companies.
What is a "Financial Institution?"
Financial institutions are entities that offer accounts which allow consumers to write checks or make payments to third parties through other means, such as wire transfers or telephone transfers.
What is a "Covered Account?"
A covered account is defined as:
1. An account that is used mostly for personal, family or household expenses and that involves multiple payments or transactions, or
2. An account for which there is a foreseeable risk of identity theft
How Do You Comply?
To satisfy the Red Flags Rule, the identity theft prevention plan must be in writing and it should:
1. Identify relevant red flags that may indicate identity theft
2. Detect red flags by implementing a procedure to detect such risks in day-to-day operations
3. Prevent and mitigate identity theft with an appropriate response and reporting procedure
4. Be updated when necessary to reflect changing developments.
Credit Card Issuers
There are special rules for credit card issuers, which must establish and implement reasonable policies and procedures to assess the validity of any address change that is followed by a request for additional or replacement cards. New or replacement cards may not be issued until:
1. The card issuer clearly and conspicuously notifies the cardholder of the request and provides the cardholder with a reasonable means of promptly reporting incorrect address changes, or
2. The card issuer otherwise verifies the new address following a procedure set out in the issuer’s identity theft prevention plan.
Consumer Credit Report Handling
Entities that use consumer credit reports have additional obligations if they receive a report containing an address discrepancy. For such cases, they must:
1. Develop and implement procedures that allow them to form a "reasonable belief" as to whether the consumer report relates to an individual, and
2. Implement procedures for notifying the consumer reporting agency of the corrected address.
Penalties for Noncompliance
The new law authorizes the FTC to bring federal lawsuits against companies that knowingly violate the law or engage in a pattern or practice of violations. Penalties may go as high as $2,500 for each infraction. Users of consumer reports who fail to comply with the address discrepancy regulations are also subject to civil lawsuits for damages under §§ 616 and 617 of the Fair Credit Reporting Act.
Prince Lobel is well positioned to help companies create and implement identity theft protection programs that comply with the FACTA regulations. With May 1 fast approaching, our attorneys are available now to assist you in achieving the federally mandated compliance. For more information or if you have any questions about FACTA’s impact on your business, please contact Peter J. Caruso II at [email protected] or 617 456 8034.