Identity Theft “Red Flag” Rules

By Stephanie Jordan
in

The Federal Trade Commission (FTC) announced recently that it would suspend enforcement of the new “Red Flags Rule” until May 1, 2009, to give creditors and financial institutions additional time in which to develop and implement written identity theft prevention programs. The FTC, the federal bank regulatory agencies, and the National Credit Union Administration (NCUA) issued regulations (the Red Flags Rules) requiring financial institutions and creditors to develop and implement written identity theft prevention programs, as part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). Although the final rule became effective on January 1, 2008, the programs were to be in place by November 1 and had to provide for the identification, detection, and response to patterns, practices, or specific activities—known as “red flags”—that could indicate identity theft.

The Red Flags Rules apply to “financial institutions” and “creditors” with “covered accounts.” Under the Rules:

  • A financial institution is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a “transaction account” belonging to a consumer. Most of these institutions are regulated by the Federal bank regulatory agencies and the NCUA. Financial institutions under the FTC’s jurisdiction include state-chartered credit unions and certain other entities that hold consumer transaction accounts.
  • A transaction account is a deposit or other account from which the owner makes payments or transfers. Transaction accounts include checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.
  • A creditor is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. Creditors include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Where non-profit and government entities defer payment for goods or services, they, too, are to be considered creditors. Most creditors, except for those regulated by the Federal bank regulatory agencies and the NCUA, come under the jurisdiction of the FTC.
  • A covered account is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. A covered account is also an account for which there is a foreseeable risk of identity theft—for example, small business or sole proprietorship accounts.

During the course of the Commission’s education and outreach efforts following publication of the rule, the Commission learned some industries and entities within the FTC’s jurisdiction expressed confusion and uncertainty about their coverage under the rule. These entities indicated that they were not aware that they were undertaking activities that would cause them to fall within FACTA’s definitions of “creditor” or “financial institution.” Many entities also noted that because they generally are not required to comply with FTC rules in other contexts, they had not followed or even been aware of the rulemaking, and therefore learned of the requirements of the rule too late to be able to come into compliance by November 1, 2008. Given the confusion and uncertainty within major industries under the FTC’s jurisdiction about the applicability of the rule, and the fact that there is not sufficient time for members of those industries to develop their programs and meet the November 1 compliance date, the FTC opted to delay until May 1, 2009. The Commission intends to conduct additional education and outreach regarding the rule.

For more information, and questions about compliance with the Rules, contact RedFlags [at] ftc [dot] gov (RedFlags [at] ftc [dot] gov.)

Published December 5, 2008