Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

As we’ve previously written, the Rule requires all “creditors” and “financial institutions” that have “covered accounts” to develop and implement programs to help identify, detect, and respond to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft. The intended (and appropriate) scope of the Rule, however, is anything but clear and the FTC has delayed enforcement of the Rule multiple times in order to address this issue. (Note, however, that the FTC’s announcement does not affect other federal agencies’ ongoing enforcement of the rule as it relates to financial institutions and creditors subject to their oversight. Similarly, the related address discrepancy and card issuer change of address rules are in effect and not delayed.)

Several days before the FTC’s announcement, Senators John Thune (R-SD) and Mark Begich (D-AK) offered up a bill “to amend the Fair Credit Reporting Act to provide for an exclusion from Red Flag Guidelines for certain businesses” that is intended to help clarify the scope of the Rule. The bill includes exemptions from the Rule for certain businesses engaged in health care, accounting, and the practice of law as well as a catch-all for other low-risk entities if they apply to the FTC for exemption.

Will six months be enough to fix the Rule’s problems? Maybe not. So stay tuned!

The FTC acknowledged that many entities, particularly small businesses and other companies with a low risk of identity theft, remain uncertain about whether they are covered under the Rule, and, if so, what steps they must take to comply. As part of its education campaign, the FTC stated that it plans to create a link on its Red Flags Rule website to provide additional guidance regarding the Rule to small and low-risk entities.  To date, the FTC has provided, among other things, a how-to guide for businesses, FAQs, and an online do-it-yourself Identity Theft Prevention Program for low-risk entities. 

The delay underscores the difficulty the Commission staff has had in anticipating and explaining the precise scope of the Rule – namely what entities are covered the Rule. As a practical matter, the Rules, and the FTC’s interpretation of them, have cast a net so wide so as to ensnare businesses that have not encountered identity theft in their operations and that are not normally subject to the Commission’s jurisdiction.  Indeed, as we have discussed before on this blog, there has been confusion among companies regarding the scope of the Rule. And despite previous delays and additional FTC guidance, many businesses, as well as entire industries, have still been caught off-guard by the Rule.  Nevertheless, the FTC believes that this extension and the new guidance the Commission will provide “should enable businesses to gain a better understanding of the Rule and any obligations that they may have under it.”

Users must establish reasonable policies to enable the user to form a reasonable belief as to whether the consumer report received actually relates to the customer in question. Users must evaluate the address discrepancy regardless of whether a new account with the customer will be opened. Policies and procedures designed to confirm whether a consumer report relates to the consumer about whom the report was requested include:

o         Comparing information in the consumer report with information that the user

o         obtains and uses to verify the consumer’s identity pursuant to Customer Identification Program rules,

o         maintains in its own records, such as applications or change of address requests, or

o         obtains from third parties;

o         Verifying the information provided by the CRA with the consumer by requesting a copy of the applicant’s driver’s license or other proof of current address; and

o         Other reasonable means.

In the event that a user reasonably confirms, through the policies and procedures established, that the report received belongs to the user’s customer, the user may be obligated to report the consumer’s address to the CRA that provided the notice of discrepancy. Such obligation arises if the user establishes a continuing business relationship with the customer and regularly furnishes information, regardless of the type or comprehensiveness, to that particular CRA.

While the Address Discrepancy Rule is designed to identify instances where a user has not received the correct consumer report for the customer inquired upon, a notice of address discrepancy may signal identity theft. Notices of address discrepancy therefore may implicate the Red Flags Rules for users that are financial institutions or creditors.

Also included in the Rule are special provisions regarding change-of-address notices for debit and credit card issuers. If a card issuer receives a change-of-address notice, and within 30 days, receives a request for an additional or replacement card, the card issuer must verify the address before issuing the card. The card issuer may validate the address either when receiving the change-of-address notice or shortly after receiving the request for a card. To validate the address, the issuer must either notify the cardholder at the last known address and provide the cardholder with a means of reporting any incorrect address change, or otherwise asses the validity of the change of address in accordance with its written policies and procedures established to comply with the Rule. 

For the complete text of the “Address Discrepancy Rule”, please see http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf, and for more information on the Red Flags Rule: http://ftc.gov./redflagsrule. Also check out our prior discussions of the Red Flags and Address Discrepancy Rules. 

Proskauer summer associate Rebecca Guttman contributed to this post.     

The Red Flags Rule relies on the Equal Credit Opportunity Act’s definition of “creditor,” which is codified at 12 C.F.R. § 202.2(l):

Creditor means a person who, in the ordinary course of business, regularly participates in a credit decision, including setting the terms of the credit. The term creditor includes a creditor's assignee, transferee, or subrogee who so participates. For purposes of Sec. 202.4(a) and (b), the term creditor also includes a person who, in the  ordinary course of business, regularly refers applicants or prospective applicants to creditors, or selects or offers to select creditors to whom requests for credit may be made.  A person is not a creditor regarding any violation of the Act or this regulation committed by another creditor unless the person knew or had reasonable notice of the act, policy, or practice that constituted the violation before becoming involved in the credit transaction. The term does not include a person  whose only participation in a credit transaction involves honoring a credit card.

(emphasis added).

By its terms, the definition of “creditor” encompasses a person who “refers applicants or prospective applicants” only for purposes of §§ 202.4(a) and (b). Those sections address non-discrimination and non-discouragement in extension of credit. Thus, if a retailer were to discourage someone from applying for a cobranded credit card, or if it were to select which credit card applications to pass on to the lender, that retailer might be liable under ECOA Regulation B. But the rest of Regulation B does not apply to those who simply pass on credit applications. See, e.g., Treadway v. Gateway Chevrolet Oldsmobile Inc., 362 F.3d 971, 978-79 (2004) (holding that automobile dealership was creditor because it "regularly participated in a credit decision" by deciding whether to pass an application on to the lender, though it would not be a creditor if all it did was pass applications on without making such decisions) (decision attached).

The Federal Reserve Board's supplement to the § 202.2(l) comments supports this interpretation and was partially the basis for the Seventh Circuit's opinion in Treadway:

Some industry commenters expressed concern that the clarification would include in the definition of creditor persons without discretion to decide whether credit will be extended. The Board recognizes that in the credit application process persons may play a variety of roles, from accepting applications through extending or denying credit. Comment 2(l)-2 is intended to clarify that where the only role a person plays is accepting and referring applications for credit, or selecting creditors to whom applications will be made, the person meets the definition of creditor, but only for purposes of the prohibitions against discrimination and discouragement. For example, an automobile dealer may merely accept and refer applications for credit, or it may accept applications, perform underwriting, and make a decision whether to extend credit. Where the automobile dealer only accepts applications for credit and refers those applications to another creditor who makes the credit decision-for example, where the dealer does not participate in setting the terms of the credit or making the credit decision-the dealer is subject only to §§ 202.4(a) and (b) for purposes of compliance with Regulation B.

68 F.R. 13144, 13155, quoted in Treadway, 362 F.3d at 979.

Finally, other recent cases are consistent with both the supplemental comment and Treadway. See, e.g., Cochran v. Northeast Mortgage, LLC, Civil No. 3:06CV01131(AWT), 2007 U.S. Dist. LEXIS 61125, at **5-7 (D. Conn. Aug. 21, 2007); Barnette v. Brook Rd., Inc., 457 F. Supp. 2d 647, 654-655 (E.D. Va. 2006); Logsdon v. Dennison Corp., Case No. 05-1242, 2007 U.S. Dist. LEXIS 41501, at **8-10 (C.D. Ill. June 7, 2007).

Confusion Among Companies Regarding Coverage

The rules apply to financial institutions and creditors. But, according to the FTC, many companies “indicated that they were not aware that they were engaged in activities that would cause them to fall under the FACT Act’s definition of creditor or financial institution.” Moreover, the FTC said that companies not traditionally subject to the jurisdiction of the FTC did not follow the FTC’s rulemaking, and consequently did not become aware of their obligations under the Red Flag Rules until very recently.  The FTC also expressed concern that covered entities, to meet the fast approaching November 1 deadline, were not taking the appropriate care necessary to do a proper risk assessment and craft a meaningful red flags program.

As the FTC stated, “[g]iven the confusion and uncertainty within major industries under the FTC’s jurisdiction about the applicability of the rule, and the fact that there is no longer sufficient time for members of those industries to develop their programs and meet the November 1 compliance date, the Commission believes that immediate enforcement of the rule on November 1 would be neither equitable for the covered entities nor beneficial for the public.”Therefore, the FTC will delay enforcement of the new rules for six months.Considering this generous extension, covered entities should be on notice that they will need to have a written identity theft prevention program in place by the May 1, 2009 deadline.

Who and What Are Covered

A company must consider whether it would be considered a covered entity – i.e., a financial institution or a creditor.  Financial institutions include banks, mortgage lenders, savings and loan associations, mutual savings banks, credit unions or any other person that, directly or indirectly, holds a transaction account belonging to a consumer.  As to the definition of creditor, the Red Flag Rules reference the Equal Credit Opportunity Act (“ECOA”), which defines a creditor as anyone who grants to a debtor the right “to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefor.”  In its Enforcement Policy Statement, the FTC noted that under the ECOA’s definition, “any person that provides a product or service for which the consumer pays after delivery is a creditor.”  Thus, under this broad interpretation, many companies that permit their customers to defer payment for any purchase may be covered under the rules. 

Once a company determines that it is indeed a covered entity, it must assess which of its accounts or products fall under the definition of “covered accounts” – a red flag program need only apply to these covered accounts.  The definition of “covered account” is divided into two parts:  (1) an account primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, or (2) any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft.

Covered entities then must develop written policies and procedures not only to identify and detect red flags, but also to respond to red flags by preventing or mitigating potential identity theft.  A red flag is a pattern, practice or activity that could indicate identity theft.  Because covered entities must tailor their red flags programs to their particular business, these companies will need to do risk assessment to evaluate current identity theft prevention measures, their shortcomings and the risks to customers.  In addition, companies must periodically update their identity theft programs to address emerging threats.  The final rules became effective on January 1, 2008, and, prior to this announcement, covered entities were required to comply by November 1, 2008.  You can read more about the Red Flag Rules here.