Author:
Susan Haller Pauley
December 14, 2009
FTC Further Delays Enforcement of Red Flags Rule Until June 1, 2010
On October 30, 2009, in response to a request from Members of Congress who are considering legislation to exempt certain entities (including health care, accounting, and legal entities with fewer than 20 employees) from the Red Flags Rule, the Federal Trade Commission (FTC) agreed to further delay enforcement of its Red Flags Rule until June 1, 2010. (On November 9, 2007, the FTC, the Department of the Treasury (Office of the Comptroller of the Currency and Office of Thrift Supervision), the Federal Reserve System, the Federal Deposit Insurance Corporation, and the National Credit Union Administration jointly promulgated Red Flags Rules. The FTC's delayed enforcement date does not affect the original November 1, 2008 enforcement deadline of the Red Flags Rules promulgated by these other federal agencies.) On October 30, 2009, in a related development, the U.S. District Court for the District of Columbia ruled that the FTC's Red Flags Rule does not apply to attorneys.
The FTC Red Flags Rule requires certain entities to develop and implement identity theft prevention programs. (The related Rules regarding address discrepancies and changes of address are unaffected by this delay in the enforcement of the FTC Red Flags Rule.) Specifically, the FTC Red Flags Rule requires financial institutions (i.e., those not under the jurisdiction of the federal banking regulatory agencies or the National Credit Union Administration such as, for example, state-chartered credit unions, mutual funds offering accounts with check-writing privileges, and institutions offering accounts where consumers can make payments/transfers to third parties) and creditors with covered accounts to implement programs designed to identify and respond to warning signs (i.e., “red flags”) of possible identity theft. “Creditor” is broadly defined and includes a person who regularly extends, renews, or continues credit or arranges for the extension, renewal, or continuation of credit.
An “account” is defined as “a continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household, or business purposes.” A “covered account” is (1) an account offered by a financial institution or creditor primarily for personal, family, or household purposes that involves multiple payments or transactions (e.g., credit card accounts, mortgage loans, car loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts); or (2) any other account offered or maintained by a financial institution or creditor for which there is a reasonably foreseeable risk of identity theft. “Identity theft” is defined as “a fraud committed or attempted using the identifying information [e.g., name, Social Security Number, date of birth, driver's license number] of another person without authority” or the attempted use of suspicious account application documents.
In addition to developing a program that identifies and detects identity theft red flags, financial institutions and creditors must also incorporate into their program appropriate responses to prevent and mitigate identity theft as well as update their programs periodically. The Red Flags Rule also requires that Red Flag programs be administered by financial institution/creditor boards of directors or senior employees and provide staff training and service provider oversight.
Susan Pauley
Chase Center - Second Floor
1000 Fifth Avenue, Suite 250
Huntington, WV 25701
304.526.8131
susan.pauley@steptoe-johnson.com