Prepared to comply with FTC's Red Flag Rules?
By Andrew B. Lustigman and Jill L. Abitbol
To deal with the growing problem of identity theft, the Federal Trade Commission last year, working with other federal agencies, jointly issued regulations called the "Red Flag Rules."
Although primarily aimed at financial institutions, the Red Flag Rules have a broad scope that expressly includes creditors such as telecommunications companies.
The Red Flag Rules have already gone into effect and require all covered companies to establish and implement procedures to prevent and address various categories of potential identity theft.
Though covered companies must begin compliance immediately, enforcement of the Red Flag Rules has been suspended until May 1, 2009 because of the confusion they have generated.
Given this brief reprieve in enforcement, telecommunications companies and other covered companies must address their compliance obligations now, if they have not done so already. This article addresses Red Flag Rules compliance issues.
Scope of the Red Flag Rules
The Red Flag Rules require covered companies to identify, detect and respond to patterns, practices or specific activities -- known as "red flags" -- that could indicate identity theft in connection with new and existing accounts.
These rules apply to all companies that meet the definition of "creditor," and are triggered whenever a company offers or maintains "covered accounts."
The rules define the term "creditor" to include "persons or businesses that arrange for the extension, renewal, or continuation of credit."
Under this broad definition, many companies that offer customers the option to defer payment now find themselves subject to the Red Flag Rules.
Thus, not only are credit card companies and financial institutions subject to these rules, but so are telecommunications companies, automobile dealers, utility companies, mortgage brokers, finance companies and any other company that regularly extends or merely arranges for the extension of credit.
Even nonprofit and government entities, such as many hospitals, that defer payment for goods and services, are considered to be "creditors."
The FTC estimates that the Red Flag Rules are likely to affect more than 11 million companies or people.
There has been confusion and uncertainty in some industries about their coverage under the rules.
That is why the FTC recently announced that it will suspend enforcement of the rules until May 1, 2009 to give organizations that are subject to regulatory oversight (including those companies that were originally unaware that they were subject to the rules), additional time to develop and implement their compliance programs.
Designing a program
Companies subject to the Red Flag Rules are required to design and implement a written Identity Theft Prevention Program to detect, prevent and mitigate identity theft in connection with the opening of a covered account or any existing account ("program").
The programs must be uniquely tailored to a covered entity's size, complexity and the nature of operations. However, every program must have four essential features:
Identify
Each covered entity must identify and incorporate relevant patterns, practices and specific forms of activity that are "red flags" signaling possible identity theft.
These red flags will vary depending on the nature of the business in question, but they must be based on the guidance provided by regulators and the covered entities' own experiences.
Some examples of red flags include applications which appeared to be forged, altered, destroyed or reassembled; receiving a credit report containing a fraud alert, credit freeze or address discrepancy and a change of address notice that is followed shortly by a request for a new credit card, bank card or mobile phone.
Other examples include if an address or telephone number supplied by an applicant is the same or similar to the account number or telephone number submitted by a large number of other persons; and a material increase in the use of available credit.
Detect
Once a covered entity identifies its red flags, it must then develop policies and procedures to detect these red flags when they occur.
The FTC's guidelines recommend obtaining and verifying identifying information about persons opening accounts or, in the case of existing accounts, authenticating customers, monitoring transactions and verifying the validity of address change requests.
Respond
Each covered entity must develop appropriate policies and procedures to respond to any detected red flags in order to prevent and mitigate identity theft.
The response should be commensurate with the degree of risk posed.
The guidelines recommend contacting customers about suspicious activity, notifying law enforcement and changing any password or security devices that permit account access or closing an account.
Update
Finally, each covered entity must update its program periodically to identify new red flags or adjust to changes in risks of identity theft.
Specifically, companies should be aware that risks may change when it alters its business arrangements or modifies the types of accounts it offers.
While not all of the guidelines or red flags may be directly applicable to every company, the FTC specifically urges covered entities to carefully consider and evaluate whether and how to incorporate them into company policies and identity-theft-prevention programs.
Administering the program
The Red Flag Rules also enumerate certain steps that a covered entity must take to administer its program.
The covered entity must:
â?¢ Obtain approval of the initial written program by the board of directors or at least a committee of the board;
â?¢ Ensure oversight by the board of directors, a committee of the board, or senior management of the development, implementation and administration of the program;
â?¢ Report, at least annually, on compliance with the Red Flag regulations;
â?¢ Train staff to implement the program effectively; and
â?¢ Exercise appropriate and effective oversight of arrangements with third-party and affiliated service providers.
The rules require that organizations periodically reassess and revise their policies and practices, including modifications and/or expansions to detect and respond to new and emerging risks.
Companies will want to specifically appoint someone within the company with responsibility to maintain and update the program and to include their efforts as an explicit component of the program from the start.
Covered accounts maintained or accessed by service providers
The Red Flag Rules require that organizations exercise appropriate, effective oversight of service provider arrangements, such as a third-party billing provider.
FTC guidelines state that if an organization engages a service provider to perform an activity in connection with covered accounts, the organization should ensure that, just like the company itself, the service provider also conducts its activities so as to detect, prevent, and mitigate the risk of identity theft.
In order to meet the FTC guidelines on working with these service providers, an organization could contractually require the service provider to follow the organization's program or it could require that the service provider establish and follow an approved program of its own.
These issues should be dealt with before a service provider is hired by any covered company.
Consequences of noncompliance
Once enforcement begins in 2009, failure to comply with the Red Flag Rules could result in civil monetary fines and lawsuits.
When the FTC monitors compliance with the Red Flag Rules, it will be looking for good faith, reasonable efforts to comply.
The new Red Flag Rules are intended to ensure the safety of sensitive consumer information.
As such, they require companies with covered accounts to take reasonable measures to detect, prevent and mitigate the risk of identity theft.
Even though enforcement has been postponed until May 2009, companies subject to the rules should adopt the required policies and procedures immediately if they have not already done so, and they should seriously identify and minimize the pertinent risks.
Finally, covered companies should be aware that using third-party service providers does not relieve them of the obligation to comply with the Red Flag Rules.
Andrew B. Lustigman is principal and Jill L. Abitbol is attorney at The Lustigman Firm. Reach them at and .