It is no secret that identity theft is on the rise. To help combat and prevent identity theft, the Federal Trade Commission (“FTC”) enacted regulations known as the Red Flag Rules. These Rules require certain businesses to develop and implement a written identity theft prevention program. The deadline for enforcement of the Rules is August 1, 2009. Per the regulations, a Red Flag is a “pattern, practice, or specific activity that indicates the possible existence of identity theft.”
It is estimated that the Red Flag Rules will apply to 11 million companies and individuals. The businesses primarily affected by the Red Flag Rules are financial institutions and creditors with covered accounts. These Rules are not limited to banks and credit card companies. The broad definition of “creditor” includes any entity that regularly extends, renews, or continues credit. In practical terms, if a business accepts payment after the product was sold (or a service was rendered), it can be classified as a creditor. The creditor category includes finance companies, automobile dealers, mortgage brokers, utility companies, telecommunications companies, doctors, and attorneys. Even non-profit and government entities that defer payment for goods or services are considered creditors. However, the mere acceptance of credit cards does not bring an entity within the definition of a creditor.
Covered businesses must develop and implement a written identity theft prevention program that is designed to detect, prevent, and mitigate identity theft in connection with covered accounts. The program can vary depending on the size, scope, and complexity of the business. The four basic steps in designing a program to comply with the Red Flag Rules are:
In addition, businesses should appoint a compliance officer to administer the program. Compliance with the Red Flag Rules does allow for flexibility based upon the creditor’s activities and level of identity theft risk associated with the relevant covered accounts.
Businesses that do not comply face civil penalties of up to $2,500 per violation for knowing violations. Additionally, if the FTC finds violations to be “unfair and deceptive,” the FTC may use its adjudicatory authority to issue cease and desist orders and take other enforcement actions. And, businesses could also face potential civil claims brought by private individuals.
- Identify relevant red flags;
- Detect red flags;
- Prevent and mitigate identity theft; and
- Update the program periodically.
Businesses covered by the Red Flag Rules should act promptly to adopt the policies and procedures required to comply. Input from legal counsel can help with the analysis of the applicability of the Red Flag Rules to your particular business, as well as assist in the design and evaluation of effective compliance methods.