FTC Extends (Yet Again) Enforcement Deadline for Identity Theft Red Flags Rule

Posted on May 28, 2010 by Andrew Hoffman

The Federal Trade Commission announced today that it is once again extending the deadline for enforcing its “Red Flags” Rule, while Congress considers legislation that would affect the scope of entities covered by the Rule. The FTC is delaying enforcement of the Rule until December 31, 2010 in response to a request from members of Congress who are working to finalize legislation that would limit the scope of business covered by the Rule.

As we’ve previously written, the Rule requires all “creditors” and “financial institutions” that have “covered accounts” to develop and implement programs to help identify, detect, and respond to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft. The intended (and appropriate) scope of the Rule, however, is anything but clear and the FTC has delayed enforcement of the Rule multiple times in order to address this issue. (Note, however, that the FTC’s announcement does not affect other federal agencies’ ongoing enforcement of the rule as it relates to financial institutions and creditors subject to their oversight. Similarly, the related address discrepancy and card issuer change of address rules are in effect and not delayed.)

Several days before the FTC’s announcement, Senators John Thune (R-SD) and Mark Begich (D-AK) offered up a bill “to amend the Fair Credit Reporting Act to provide for an exclusion from Red Flag Guidelines for certain businesses” that is intended to help clarify the scope of the Rule. The bill includes exemptions from the Rule for certain businesses engaged in health care, accounting, and the practice of law as well as a catch-all for other low-risk entities if they apply to the FTC for exemption.

Will six months be enough to fix the Rule’s problems? Maybe not. So stay tuned!
Tags: , , , , , ,

Doesn't Alice Live Here Anymore? FACTA and the Address Discrepancy Rule

Posted on June 24, 2009 by Jennifer Roche

Section 315 of FACTA requires institutions that utilize consumer reports (“users”) to develop and follow certain procedures when notified of an address discrepancy  by a national CRA (Equifax, Experian and TransUnion). Under FACTA, national CRAs are required to issue a “notice of address discrepancy” when an address provided by a user requesting a consumer report “substantially differs” from the address the CRA has on file for that consumer. The Address Discrepancy Rule then requires users of consumer reports to develop and implement written policies and procedures to respond to receipt of a discrepancy notice. There are two components to the policies required by the Rule: the first relates to the user’s evaluation of the address discrepancy; the second relates to the user’s potential obligation to report the consumer’s address to the CRA.

Users must establish reasonable policies to enable the user to form a reasonable belief as to whether the consumer report received actually relates to the customer in question. Users must evaluate the address discrepancy regardless of whether a new account with the customer will be opened. Policies and procedures designed to confirm whether a consumer report relates to the consumer about whom the report was requested include:

o         Comparing information in the consumer report with information that the user

o         obtains and uses to verify the consumer’s identity pursuant to Customer Identification Program rules,

o         maintains in its own records, such as applications or change of address requests, or

o         obtains from third parties;

o         Verifying the information provided by the CRA with the consumer by requesting a copy of the applicant’s driver’s license or other proof of current address; and

o         Other reasonable means.

 

In the event that a user reasonably confirms, through the policies and procedures established, that the report received belongs to the user’s customer, the user may be obligated to report the consumer’s address to the CRA that provided the notice of discrepancy. Such obligation arises if the user establishes a continuing business relationship with the customer and regularly furnishes information, regardless of the type or comprehensiveness, to that particular CRA.

           

While the Address Discrepancy Rule is designed to identify instances where a user has not received the correct consumer report for the customer inquired upon, a notice of address discrepancy may signal identity theft. Notices of address discrepancy therefore may implicate the Red Flags Rules for users that are financial institutions or creditors.

           

Also included in the Rule are special provisions regarding change-of-address notices for debit and credit card issuers. If a card issuer receives a change-of-address notice, and within 30 days, receives a request for an additional or replacement card, the card issuer must verify the address before issuing the card. The card issuer may validate the address either when receiving the change-of-address notice or shortly after receiving the request for a card. To validate the address, the issuer must either notify the cardholder at the last known address and provide the cardholder with a means of reporting any incorrect address change, or otherwise asses the validity of the change of address in accordance with its written policies and procedures established to comply with the Rule. 

           

For the complete text of the “Address Discrepancy Rule”, please see http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf, and for more information on the Red Flags Rule: http://ftc.gov./redflagsrule. Also check out our prior discussions of the Red Flags and Address Discrepancy Rules. 

 

Proskauer summer associate Rebecca Guttman contributed to this post.     
Tags: , , , , , , , , , , ,

Red Flags and Address Discrepancies FAQs

Posted on June 15, 2009 by Proskauer Rose LLP

On Thursday, the staff of the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision and the Federal Trade Commission issued a set of Frequently Asked Questions (FAQs) to assist financial institutions, creditors, users of consumer reports, and card issuers in complying with the Red Flags and Address Discrepancies Rules under FACTA.  Among the answers to the FAQs:

  • Although there is no specific record retention requirement under the Rules, covered entities must be able to demonstrate that they have complied with the requirements of the Rules;
  • All banks, savings associations, and credit unions are covered by the Red Flags Rules as “financial institutions,” whether or not they hold a transaction account belonging to a consumer;
  • The Red Flags Rules do not apply to the foreign branches of U.S. banks but, as a matter of safety and soundness, financial institutions are strongly encouraged to implement an effective identity theft prevention program throughout their operations, including in their foreign offices, consistent with local laws;
  • “Covered accounts” include accounts established in the U.S. by non-U.S. residents;
  • A broker, dealer, investment advisor, or investment or insurance company that is a “financial institution” or “creditor” under the FCRA is covered by the Red Flags Rules, including any such entity that is a subsidiary of a bank or savings association;
  • Corporate credit unions are covered by the Red Flags Rules;
  • If a consumer loan is purchased by another financial institution or creditor, then that entity becomes responsible for applying its Identity Theft Prevention Program to the loan as an existing covered account;
  • The Address Discrepancy Rules only apply to notices of address discrepancy received from an NCRA (Experian, Equifax, and TransUnion).  However,  a notification of address discrepancy received from an entity that is not an NCRA may be a red flag for purposes of the Red Flags Rules;
  • If a consumer withdraws his or her application to open a new account, a user of a consumer report that receives a notice of address discrepancy need not take steps to establish a reasonable belief that the consumer report relates to the consumer.

For more, check out the FAQs here, and our prior discussions of the Red Flags and Address Discrepancy Rules here.

Tags: , , , , , , , , , , , , , , , , , , , , ,

Red Flag Rules Compliance Deadline Extension Not Grounds to Procrastinate

Posted on May 8, 2009 by Proskauer Rose LLP

I spoke with Health Leaders Media about the Red Flag Rules and the FTC's further extension of the compliance deadline, previously discussed here.  The title of the article says it all:  "Don't Delay Because of Red Flags Rule Delay."

Tags: , , , , , ,

FTC Suspends Enforcement of Red Flag Rules For Six Months

Posted on October 23, 2008 by Scott J. Carpenter

The Federal Trade Commission (“FTC”) recently announced that it will not enforce the new Red Flag Rules until May 1, 2009, giving financial institutions and creditors an additional six months to comply by developing and implementing a written identity theft prevention program.  In an Enforcement Policy Statement released on October 22, 2008, the FTC acknowledged the uncertainty felt by many entities and some industries regarding whether they would be considered “covered entities” and thus subject to the rules. This announcement though does not affect companies subject to the enforcement authority of federal agencies other than the FTC.

Confusion Among Companies Regarding Coverage

The rules apply to financial institutions and creditors. But, according to the FTC, many companies “indicated that they were not aware that they were engaged in activities that would cause them to fall under the FACT Act’s definition of creditor or financial institution.” Moreover, the FTC said that companies not traditionally subject to the jurisdiction of the FTC did not follow the FTC’s rulemaking, and consequently did not become aware of their obligations under the Red Flag Rules until very recently.  The FTC also expressed concern that covered entities, to meet the fast approaching November 1 deadline, were not taking the appropriate care necessary to do a proper risk assessment and craft a meaningful red flags program.

As the FTC stated, “[g]iven the confusion and uncertainty within major industries under the FTC’s jurisdiction about the applicability of the rule, and the fact that there is no longer sufficient time for members of those industries to develop their programs and meet the November 1 compliance date, the Commission believes that immediate enforcement of the rule on November 1 would be neither equitable for the covered entities nor beneficial for the public.”Therefore, the FTC will delay enforcement of the new rules for six months.Considering this generous extension, covered entities should be on notice that they will need to have a written identity theft prevention program in place by the May 1, 2009 deadline.

Who and What Are Covered

A company must consider whether it would be considered a covered entity – i.e., a financial institution or a creditor.  Financial institutions include banks, mortgage lenders, savings and loan associations, mutual savings banks, credit unions or any other person that, directly or indirectly, holds a transaction account belonging to a consumer.  As to the definition of creditor, the Red Flag Rules reference the Equal Credit Opportunity Act (“ECOA”), which defines a creditor as anyone who grants to a debtor the right “to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefor.”  In its Enforcement Policy Statement, the FTC noted that under the ECOA’s definition, “any person that provides a product or service for which the consumer pays after delivery is a creditor.”  Thus, under this broad interpretation, many companies that permit their customers to defer payment for any purchase may be covered under the rules. 

Once a company determines that it is indeed a covered entity, it must assess which of its accounts or products fall under the definition of “covered accounts” – a red flag program need only apply to these covered accounts.  The definition of “covered account” is divided into two parts:  (1) an account primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, or (2) any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft.

Covered entities then must develop written policies and procedures not only to identify and detect red flags, but also to respond to red flags by preventing or mitigating potential identity theft.  A red flag is a pattern, practice or activity that could indicate identity theft.  Because covered entities must tailor their red flags programs to their particular business, these companies will need to do risk assessment to evaluate current identity theft prevention measures, their shortcomings and the risks to customers.  In addition, companies must periodically update their identity theft programs to address emerging threats.  The final rules became effective on January 1, 2008, and, prior to this announcement, covered entities were required to comply by November 1, 2008.  You can read more about the Red Flag Rules here. 

Tags: , , , ,

Red Flag Alert -- Compliance Deadline is November 1, 2008

Posted on August 7, 2008 by Proskauer Rose LLP

According to regulations published by the Federal Trade Commission and the federal banking agencies, covered companies that hold any customer accounts must implement identity theft prevention programs that identify and detect “Red Flags” signaling possible identity theft.  Companies establishing such programs must create policies and procedures not only to recognize and detect Red Flags, but also to respond to Red Flags by preventing or mitigating potential identity theft. Furthermore, companies must develop reasonable policies and procedures to verify the identity of a customer opening an account, and must also periodically update their identity theft programs.  The rules went into effect on January 1, 2008, and businesses must comply by November 1, 2008.  You can read more about Red Flags in this Client Alert.

Tags: , , , , , , , , ,