Federal Trade Commission Issues Updated Guidance on Compliance with Red Flags Rule
In 2007, the Federal Trade Commission (“FTC”) and other federal financial regulatory agencies adopted the Red Flags Rule (the “Rule”) in an effort to enhance detection, prevention and mitigation of identity theft. After the Rule became effective on January 1, 2008, the FTC extended the compliance deadline several times – ultimately to December 31, 2010 – for enforcement of the Rule. The Rule has an expansive application and requires both “financial institutions” and “creditors” that hold consumer accounts designed to permit multiple payments or transactions – or any other account for which there is a reasonably foreseeable risk of identity theft – to develop and implement an Identity Theft Prevention Program (the “Program”) for new and existing accounts.
The definition of “financial institution” includes all banks, savings associations, and credit unions, regardless of whether they hold a transaction account belonging to a consumer as well as any other entity that directly or indirectly holds a transaction account belonging to a consumer. Congress amended the definition of “creditor” in December 2010, and the Rule now includes those creditors who regularly, and in the ordinary course of business, meet one of three general criteria. To be subject to the Rule, a creditor must either:
- obtain or use consumer reports in connection with a credit transaction;
- furnish information to consumer reporting agencies in connection with a credit transaction; or
- advance funds to – or on behalf of – someone, except for funds for expenses incidental to a service provided by the creditor to that person.
Due to some confusion surrounding the Rule at the time of its enactment, the FTC developed several on-line tools and resources to assist business with compliance including a Business Guide (the Guide). These resources are available at ftc.gov/redflagsrule and were revised and updated this week to address lingering questions about who must comply with the Rule and what businesses need to do to comply with the Rule. For example, the FTC created sample programs to serve as a model for businesses with a low risk of identity theft. The FTC also prepared a list of “frequently asked questions” to help businesses comply with the Rule.
In addition to providing updated responses to the “frequently asked questions,” the Guide sets forth a four-step process to assist businesses in developing and revising their “Programs.” First, a business should identify relevant red flags. Red flags are possible practices, patterns or activities that indicate the likelihood of identity theft. Second, a business should take steps to detect red flags. For example, use of identity verification and authentication methods may help detect red flags. Third, a business should have a plan in place to prevent and mitigate identity theft when it spots a red flag. The response of a business to a red flag should depend on the degree of risk posed by the red flag. Fourth, a business should continue to update its Program. As technology evolves and identity thieves develop new tactics, a business will need to modify its Program accordingly. Businesses subject to the Rule should periodically monitor the FTC’s resources to determine any changes in best practices for compliance.
For more information, see the FTC’s Guide.
This is one in a series of advisories regarding the “Red Flags Rule.” If you have any questions or would like copies of previous advisories related to this topic, please contact David N. Anthony, Alan D. Wingfield, Paige S. Fitzgerald or Anne Hampton Andrews. Troutman Sanders LLP offers a full array of services to help bring companies into compliance with the Red Flags Rule.
© TROUTMAN SANDERS LLP. ADVERTISING MATERIAL. These materials are to inform you of developments that may affect your business and are not to be considered legal advice, nor do they create a lawyer-client relationship. Information on previous case results does not guarantee a similar future result.