FTC Extends (Yet Again) Enforcement Deadline for Identity Theft Red Flags Rule

Posted on May 28, 2010 by Andrew Hoffman

The Federal Trade Commission announced today that it is once again extending the deadline for enforcing its “Red Flags” Rule, while Congress considers legislation that would affect the scope of entities covered by the Rule. The FTC is delaying enforcement of the Rule until December 31, 2010 in response to a request from members of Congress who are working to finalize legislation that would limit the scope of business covered by the Rule.

As we’ve previously written, the Rule requires all “creditors” and “financial institutions” that have “covered accounts” to develop and implement programs to help identify, detect, and respond to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft. The intended (and appropriate) scope of the Rule, however, is anything but clear and the FTC has delayed enforcement of the Rule multiple times in order to address this issue. (Note, however, that the FTC’s announcement does not affect other federal agencies’ ongoing enforcement of the rule as it relates to financial institutions and creditors subject to their oversight. Similarly, the related address discrepancy and card issuer change of address rules are in effect and not delayed.)

Several days before the FTC’s announcement, Senators John Thune (R-SD) and Mark Begich (D-AK) offered up a bill “to amend the Fair Credit Reporting Act to provide for an exclusion from Red Flag Guidelines for certain businesses” that is intended to help clarify the scope of the Rule. The bill includes exemptions from the Rule for certain businesses engaged in health care, accounting, and the practice of law as well as a catch-all for other low-risk entities if they apply to the FTC for exemption.

Will six months be enough to fix the Rule’s problems? Maybe not. So stay tuned!
Tags: , , , , , ,

Red Flag Rules Compliance Deadline Extension Not Grounds to Procrastinate

Posted on May 8, 2009 by Proskauer Rose LLP

I spoke with Health Leaders Media about the Red Flag Rules and the FTC's further extension of the compliance deadline, previously discussed here.  The title of the article says it all:  "Don't Delay Because of Red Flags Rule Delay."

Tags: , , , , , ,

Red Flag Rules Blindside Retailers, But Extension of Compliance Deadline Helps

Posted on May 1, 2009 by Kristen J. Mathews

Last month, we blogged about whether the Red Flag Rules apply to medical care providers.  According to the FTC, they may also apply to retailers. 

The Federal Trade Commission’s recently released “how-to” guide says that the Red Flag Rules apply to “retailers that offer financing or help consumers get financing from others, say, by processing credit applications.” However, most retailers have been caught off guard by this interpretation, since they are not accustomed to being considered “creditors.” Fortunately for them, in the nick of time for the May 1st compliance deadline, the FTC extended the deadline to August 1, 2009, giving retailers time to put their policies in place in a thoughtful and reasoned manner.

The Red Flag Rules require covered entities to implement a program to detect and respond appropriately to signs of identity theft. For a retailer that processes credit applications, this would mean, as an example, detecting situations in which a customer may be attempting to apply for credit using another person’s identity. 

 

The FTC has reiterated that a covered entities’ red flag program should be “risk-based,” so if there is a relatively low risk of identity theft given the way the retailer processes credit applications, the red flag program can be simple. That said, there still needs to be a program in place.

As an example, where a retailer does nothing more than receive credit applications from customers and pass them on to a partner bank, the retailer could implement a program that includes, among other things:

  • Checking customers’ photo IDs when they apply for credit
  • Requesting multiple forms of ID
  • Training employees to know how to spot a fake ID
  • Following the guidelines for authenticating applicants provided by its partner bank
  • Documenting these procedures in writing, and training employees accordingly

The more involvement a retailer has in the processing of a credit application, the more robust its red flags program ought to be.
Tags: ,

Red Flag Rules Leave Health Care Industry Wondering

Posted on April 1, 2009 by Kristen J. Mathews

The health care industry has been waiting for resolution of the question: Do the Federal Trade Commission’s Identity Theft Red Flag Rules apply to health care providers? With the May 1st compliance deadline looming, health care providers need to know. 

The answer seems to depend on whom you ask. The Federal Trade Commission (“FTC”) and the American Medical Association (“AMA”) have been in discussions regarding this point for the last several months.* Most recently, in a February 4th letter to the AMA, the FTC reiterated its earlier position stating that the Red Flag Rules apply to health care providers who regularly defer payment for medical services. In a February 23rd letter responding to the FTC, the AMA “strongly objected” to the FTC’s interpretation and alleged that the FTC failed to comply with the Administrative Procedures Act (“APA”) since it did not explain in advance its rules’ application to health care providers nor provide the public with notice and opportunity to comment. In summary, the AMA asked the FTC to either withdraw its interpretation or conduct a new rulemaking procedure that complies with the APA. 
 

The Identity Theft Red Flag Rules require covered entities to implement a program to detect and respond appropriately to signs of identity theft. For a health care provider, this would mean, as an example, detecting situations in which a patient may be attempting to obtain medical services using another person’s identity and medical insurance policy. Since the FTC’s position on this issue has been firm, unless and until the AMA obtains a stay on enforcement of the rules, medical care providers should gear up for compliance.

According to the FTC, for many providers of medical care, compliance may not be too burdensome since their programs need only be scaled to the level of risk of identity theft faced by their patients. So if the risk is low, the identity theft program can be streamlined commensurate with such risk. 

As examples, a health care provider could implement a program that includes, among other things:

  • Checking patients’ photo IDs when medical services are sought
  • Responding appropriately when notified by a consumer or law enforcement agency that the consumer’s identity has been misused
  • Isolating suspect medical records from the victim’s medical records
  • Suspending collection efforts against the medical identity theft victim relating to services provided to the unauthorized individual 


Depending on the size and complexity of the provider, a more robust program may be necessary.**

*See  the FTC’s September ‘08 article on the applicability of the Red Flag Rules to health care providers. 

**See The World Privacy Forum’s suggestions for health care providers addressing the Red Flag Rules. See a January ‘09 report commissioned by the U.S. Dep’t of Health and Human Services’ Office of the National Coordinator for Health Information Technology regarding medical identity theft, including suggestions to prevent medical identity theft and actions to take in the event that medical identity theft is suspected.
Tags: , , ,