The Federal Trade Commission (“FTC”) recently announced that it will not enforce the new Red Flag Rules until May 1, 2009, giving financial institutions and creditors an additional six months to comply by developing and implementing a written identity theft prevention program. In an Enforcement Policy Statement released on October 22, 2008, the FTC acknowledged the uncertainty felt by many entities and some industries regarding whether they would be considered “covered entities” and thus subject to the rules. This announcement though does not affect companies subject to the enforcement authority of federal agencies other than the FTC.
Confusion Among Companies Regarding Coverage
The rules apply to financial institutions and creditors. But, according to the FTC, many companies “indicated that they were not aware that they were engaged in activities that would cause them to fall under the FACT Act’s definition of creditor or financial institution.” Moreover, the FTC said that companies not traditionally subject to the jurisdiction of the FTC did not follow the FTC’s rulemaking, and consequently did not become aware of their obligations under the Red Flag Rules until very recently. The FTC also expressed concern that covered entities, to meet the fast approaching November 1 deadline, were not taking the appropriate care necessary to do a proper risk assessment and craft a meaningful red flags program.
As the FTC stated, “[g]iven the confusion and uncertainty within major industries under the FTC’s jurisdiction about the applicability of the rule, and the fact that there is no longer sufficient time for members of those industries to develop their programs and meet the November 1 compliance date, the Commission believes that immediate enforcement of the rule on November 1 would be neither equitable for the covered entities nor beneficial for the public.”Therefore, the FTC will delay enforcement of the new rules for six months. Considering this generous extension, covered entities should be on notice that they will need to have a written identity theft prevention program in place by the May 1, 2009 deadline.
Who and What Are Covered
A company must consider whether it would be considered a covered entity – i.e., a financial institution or a creditor. Financial institutions include banks, mortgage lenders, savings and loan associations, mutual savings banks, credit unions or any other person that, directly or indirectly, holds a transaction account belonging to a consumer. As to the definition of creditor, the Red Flag Rules reference the Equal Credit Opportunity Act (“ECOA”), which defines a creditor as anyone who grants to a debtor the right “to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefore.” In its Enforcement Policy Statement, the FTC noted that under the ECOA’s definition, “any person that provides a product or service for which the consumer pays after delivery is a creditor.” Thus, under this broad interpretation, many companies that permit their customers to defer payment for any purchase may be covered under the rules.
Once a company determines that it is indeed a covered entity, it must assess which of its accounts or products fall under the definition of “covered accounts” – a red flag program need only apply to these covered accounts. The definition of “covered account” is divided into two parts: (1) an account primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, or (2) any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft.
Covered entities then must develop written policies and procedures not only to identify and detect red flags, but also to respond to red flags by preventing or mitigating potential identity theft. A red flag is a pattern, practice or activity that could indicate identity theft. Because covered entities must tailor their red flags programs to their particular business, these companies will need to do risk assessment to evaluate current identity theft prevention measures, their shortcomings and the risks to customers. In addition, companies must periodically update their identity theft programs to address emerging threats. The final rules became effective on January 1, 2008, and, prior to this announcement, covered entities were required to comply by November 1, 2008. You can read more about the Red Flag Rules here.