President Obama signs bill to clarify FTC "Red Flag" rules
In November 2007 the Federal Trade Commission issued its “Red Flag” Rules as required under the Fair and Accurate Credit Transactions Act of 2003 (FACTA), giving “creditors” one year, until November 2008, to implement a written Identity Theft program for “covered accounts.”
Delays in the effective date unfolded, as groups of lawyers, doctors and accountants challenged the rules’ applicability to their constituents.
Though intended for personal household accounts like credit cards, auto loans, utilities or cell phones, if a “creditor” was -- as the agency said -- “any person that provides a product or service for which the consumer pays after delivery," and a “covered account” was one “designed to permit multiple payments or transactions,” were even doctors and lawyers obliged to a policy to detect warning signs of identify theft, such as unusual account activity?
Newspapers asked if subscriptions, involving multiple payments or transactions, could be extensions of credit (though such accounts typically charge in advance of a number of weeks), or whether classified advertising (where newspapers secure credit card payment upon purchase) or large commercial or retail advertising accounts, could involve risk of identity theft.
Since the agency said small business or sole proprietor accounts may raise foreseeable risks, newspapers asked if a small business that advertises on a regular basis, or a newspaper carrier, might create a covered account.
The agency acknowledged business uncertainty regarding who was covered. When the U.S. District Court for the District of Columbia sided with the American Bar Association in its challenge in December 2009, the agency appealed, but tolled enforcement until end of this year, to give Congress a chance to clarify the rules’ scope.
On December 9, 2010, Congress sent the President the “Red Flag Program Clarification Act of 2010,” excluding certain providers that deliver service before payment. On December 18, President Obama signed the bill into law. The legislation, attached here, amends the Fair Credit Reporting Act (which the FACTA amended, and which states the penalties under the Red Flag rules) to redefine the term “creditor.”
A creditor is now one who:
[A] falls within the existing definition in section 702 of the Equal Credit Opportunity Act, 15 U.S.C. 1691a -- that is, one who regularly extends, renews, or continues credit; regularly arranges for extension, renewal, or continuation of credit; or is assignee of an original creditor that participates in the decision to extend, renew, or continue credit –
and
[B] who also:
[1] regularly and in ordinary course of business:
- obtains or uses consumer reports directly or indirectly in connection with a credit transaction;
- furnishes information to consumer reporting agencies in connection with a credit transaction; or
- advances funds to or on behalf of a person based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person (except for advancement of funds for “expenses incidental to a service provided by the creditor to that person”);
or
[2] is any other type of section 702 creditor that the agency determines is appropriate by regulation because it offers or maintains accounts that are subject to a “reasonably foreseeable risk” of identity theft.
Because the definition now includes one who uses or reports to consumer reporting agencies in connection with its transactions, and excludes one who “advances funds…for expenses incidental to a service provided by the creditor to that person,” the definition is narrower and excludes many professionals that challenged the rules’ enforcement.
Newspapers that do not regularly use consumer reports or report to consumer reporting agencies in connection with their transactions, and do not regularly advance funds based on obligation to repay (other than incidental expenses), should not be likely, on that basis, to be considered “creditors” for purposes of the Red Flag Rules.
Nevertheless, the definition leaves intact the agency’s discretion to determine by regulation those section 702 creditors that offer or maintain accounts subject to “reasonably foreseeable risk” of identity theft. NAA will continue to monitor regulatory activity with respect to the Red Flag rules.
Current Regulations
For those companies that are affected by the Red Flag rules, the current regulations are effective December 31, 2010. The agency’s website has a template to help businesses to design a compliance program. The agency provides a compliance manual, "Fighting Fraud with the Red Flag Rules: A How-to Guide for Businesses."
The rules, found in 16 C.F.R. 681.2 and in Appendix A to Part 681, apply to financial institutions or "creditors" who maintain "covered accounts." A covered entity that fails to comply with the Red Flag Rules may be subject to civil monetary penalties. Effective February 9, 2009, civil monetary penalties for noncompliance with the Fair Credit Reporting Act, including the Red Flag Rules, were increased based on the Consumer Price Index to $3,500 per violation. (For repeated violations after an order to comply, the FTC could file a suit seeking several times that for each violation.)
Written Program Elements and Guidelines
Affected companies must establish a written Program to identify and detect "identify theft warning signs," such as unusual account activity; to prevent and mitigate identify theft; and to provide staff training and oversight of service providers.
The Program must meet four Elements:
- Identify red flags for its own type of covered accounts and incorporate them into the Program;
- Detect those red flags;
- Respond to them; and
- Update the Program periodically to meet changing risks.
To administer the Program, the covered entity must:
- Secure approval of the initial Program from the board of directors (or board committee);
- Designate a senior management member to oversee and administer the Program, including review of staff compliance reports;
- Train staff as necessary to implement the Program effectively; and
- Ensure, when it engages a service provider to perform an activity on its behalf (such as one that opens accounts), that the activity is conducted in compliance with a Program that satisfies the rules.
The covered entity must consider interagency Guidelines provided in the final rule to form and maintain a satisfactory Program. The entity may decide certain guidelines are inappropriate for their Program, but must establish policies that meet the rules. Under the Guidelines, in designing its Program the covered entity should:
- Consider four factors in identifying relevant red flags: its types of covered accounts, the methods it provides to open them, the methods it provides to access them, and its prior experiences with identity theft;
- Incorporate red flags from its experiences, from theft methods that reflect changes in risks, and from applicable supervisory guidance;
- Include red flags from alerts from consumer reporting agencies or fraud detection services, from the presentation of suspicious documents or suspicious personal identifying information (such as suspicious address changes), from suspicious activity on a covered account, and from notice of possible identity theft from law enforcement, victims or customers;
- Detect red flags by verifying the identity of persons opening a covered account, monitoring transactions, and verifying address changes;
- Respond to red flags by monitoring the account, contacting the customer, changing passwords or security codes, reopening the account with a new account number, not opening or closing the account as appropriate, not attempting to collect on the account or to transfer it to debt collection, notifying law enforcement, or determining no response is warranted;
- Update the program to reflect changing risks based on experience, changing identity theft methods, changing detection and prevention methods, changes in the types of accounts the entity offers, and changes in the entity's business arrangements;
- Oversee the Program by the board, a board committee, or senior management member who reviews staff compliance reports and approves material changes to the policy;
- Produce staff compliance reports at least annually that evaluate the Program's effectiveness in relation to opening of accounts, service provider arrangements, and significant identity theft incidents, and recommendations for changes;
- Ensure (such as by contract) that any service provider conducts its activities in compliance with a Program that satisfies the rules;
- Be mindful of other legal requirements such as limits on reports to consumer reporting agencies for information the furnisher has reasonable cause to believe is inaccurate, or prohibitions on collection of debts resulting from identity theft;
- Consider incorporating into the Program the "illustrative examples" provided by the agency.
In a supplement to the Guidelines (Supplement A to Appendix A), the agency provided a list of illustrative examples of red flags in connection with covered accounts. These examples include:
- various alerts from consumer reporting agencies;
- suspicious documents such as apparent alterations, forgeries or mismatched photos;
- suspicious personal identifying information such as mismatched addresses, false social security numbers, or phone numbers associated with fraudulent applications;
- partially completed applications or inconsistent information;
- inconsistent patterns of activity on accounts;
- mail that is returned repeatedly while transactions continue in relation to the account;
- notification that the customer is not receiving paper account statements; and
- notice from law enforcement or a customer.
Additional Resources:
First Published: December 23, 2010