Federal Identity Theft Rules; FTC To Begin Enforcement on August 1, 2009
Under the Red Flags Rules, covered entities (including non-profit organizations) must implement a Red Flags Compliance Program.
On January 1, 2008, the Federal Trade Commission and five other governmental agencies jointly issued the Identity Theft Red Flags and Address Discrepancy Rules (the “Rules”). Under the Rules, financial institutions and creditors that maintain certain kinds of “covered accounts” must develop and implement a written program to detect and respond to possible incidents of identity theft.
Concerned that many entities are not aware that they must comply with the Rules, the FTC announced that it will delay enforcement of the Red Flags portion of the Rules to give the entities under its jurisdiction more time to comply. The original November 1, 2008 deadline for compliance has been moved back to August 1, 2009. The revised compliance deadline does not extend to all covered entities – financial institutions are currently required to have a Compliance Program.
Although the Rules appear to focus primarily on the financial sector, they actually affect a much broader group of businesses and organizations. In an Enforcement Policy Statement, the FTC noted that “any person that provides a product or service for which the consumer pays after delivery is a creditor” and is subject to the Rules. For example, FTC staff attorneys have told several different groups – including the American Medical Association, the American Hospital Association and the American Bar Association – that physicians, hospitals, and other health care providers are “creditors” under the Red Flag Rules if they do not require full payment at the time their services are rendered.
Creditors With “Covered Accounts” Must Implement a Red Flags Program
If an entity qualifies as a “creditor,” it must determine whether it maintains “covered accounts” for its customers. Under the Rules, a covered account is one that is (i) offered or maintained “primarily for personal, family, or household purposes, that … permit[s] multiple payments or transactions,” or (ii) any other account offered or maintained by an entity where there is a reasonable risk of identity theft.
Any creditor that maintains “covered accounts” must implement a Red Flags Compliance Program before August 1, 2009.
FTC Twice Delays Enforcement to Give Entities More Time to Implement a Program
On October 22, 2008, the FTC announced that it would suspend enforcement of the Red Flags Rules for six months. “Given the confusion and uncertainty within major industries under the FTC’s jurisdiction about the applicability of the rule, and the fact that there is no longer sufficient time for members of those industries to develop their programs and meet the November 1 compliance date, the Commission believes that immediate enforcement of the rule … would be neither equitable for the covered entities nor beneficial to the public,” the FTC stated in its announcement. “Delaying Commission enforcement … will allow these entities to take the appropriate care and consideration in developing and implementing their programs.”
On April 30, 2009, the FTC again announced that it would suspend enforcement of the Red Flags Rules, this time for three months, until August 1, 2009. Chairman Jon Leibowitz said:
Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associates to share guidance with their members… and give Congress time to consider the issue further.
The compliance deadline has not been extended further. The extension of the enforcement deadline only applies to entities that fall under the jurisdiction of the FTC. Entities that are regulated by the other agencies charged with enforcing the Rules should not assume they have a similar reprieve.
The following are answers to some frequently asked questions about the Red Flags Rules:
Q: I think my entity qualifies as a creditor with “covered accounts.” What should I do?
A: If you think your entity may fall under the Rules, it is recommended that you implement a Red Flags Compliance Program. Why? Non-compliance with the Rules can result in penalties from the FTC of up to $3,500 per individual violation. More importantly, though, a Red Flags Compliance Program is an excellent “best practice” that helps protect your customers from the growing threat of identity theft.
The FTC has extended the deadline for compliance, so there is time to develop a program that works for your entity while satisfying the Rule.
Q: How do I develop a Red Flags Compliance Program?
A: A Red Flags Compliance Program is comprised of (i) a set of written policies and (ii) a set of procedures designed to detect and respond to certain Red Flags. A Red Flag is a pattern, practice or suspicious activity that may indicate that Identity Theft is taking place. In developing a Program, each entity should compile a list of Red Flags that relate to its business operations, develop procedures for detecting those Red Flags and outline a process for appropriately responding when a Red Flag is detected.
The Rules are relatively flexible and allow each entity to tailor its Program to reflect the size, scope and sophistication of its operations. If your business operations are relatively simple, your Red Flags Compliance Program may similarly be simple.
Once an entity develops a Program, it must be approved by the entity’s board of directors (or senior staff member(s), if the entity does not have a board). The Rules also require each entity to periodically review its existing Program and update it as necessary.
Q: Where can I get more information?
A: Holland & Knight lawyers can provide guidance on the Red Flags Rules and assist you with all issues pertaining to the requirements of a compliance Program, or help you to develop a Program. The firm has held a web-based seminar to discuss the Rules and to provide information about creating a Red Flags Compliance Program, which can be accessed at http://webinars.hklaw.com/p43275407.