FTC Delays Enforcement of Red Flags Rule

July 30, 2009

The Federal Trade Commission announced July 29 that it would further delay enforcement of the anti-fraud Red Flags Rule until Nov. 1 to give creditors and financial institutions more time to review guidance and develop and implement written Identity Theft Prevention Programs.

The regulation was slated to go into effect Aug. 1. The FTC has already delayed enforcement several times since Oct. 22, 2008.

Important links for more information:

The Red Flags Rule requires “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect, and respond to the warning signs, or “red flags,” that could indicate identity theft. The financial regulatory agencies, including the FTC, developed the Rule, which was mandated by the Fair and Accurate Credit Transactions Act of 2003 (FACTA).

A “financial institution” is a bank, savings and loan, credit union, or other entity that holds a “transaction account” belonging to a consumer. A “transaction account” is an account that allows the owner to make payments or transfers. Examples include checking accounts, savings accounts that permit automatic transfers, and share draft accounts. Another example would be a brokerage account that allows consumers to write checks. The FTC does not specifically mention the title insurance industry or escrow accounts in regard to the Rule. The American Land Title Association is working with the FTC to see if the industry falls under this regulation.

Your business or organization is a “creditor” if you regularly:

  • extend, renew, or continue credit;
  • arrange for someone else to extend, renew, or continue credit; or
  • are the assignee of a creditor who is involved in the decision to extend, renew, or continue credit.

Under the Rule, “credit” means an arrangement by which you defer payment of debts or accept deferred payments for the purchase of property or services. In other words, payment is made after the product was sold or the service was rendered. Some examples of creditors are finance companies, automobile dealers, mortgage brokers, utilities, and telecommunications companies. Even if you’re a non-profit or government agency, you still may be a creditor if you accept deferred payments for goods or services. However, simply accepting credit cards as a form of payment does not make you a creditor under the Rule.

If you determine you’re a financial institution or a creditor, the next step is to see if you have “covered accounts.” There are two types of covered accounts. One is an account used mostly for personal, family, or household purposes that involves multiple payments or transactions. Examples include credit card accounts, mortgage loans, car loans, margin accounts, cell phone accounts, utility accounts, and checking or savings accounts.

The other is one for which there is a foreseeable risk of identity theft. For example, one type of account that should be considered for coverage because it may be vulnerable to identity theft is a small business or sole proprietorship account. In determining whether you have such an account, consider the risks associated with how the accounts may be opened or accessed — i.e. what type of interaction and documentation is required — as well as your experience with identity theft.

If your business or organization is a financial institution or creditor, but does not have any covered accounts, you don’t need a program. But if you have covered accounts, you must develop a written program to identify and address the red flags that could indicate identity theft.

An organization’s Identity Theft Prevention Program, also known as a Red Flag Policy, must be appropriately tailored to its size, risks and complexity. To learn more on how to build an identity theft prevention program, check out this guided four-step process: Fighting Fraud with the Red Flags Rule: A How-to Guide for Business, which is provided by the FTC.

Red Flags Rule
Your compliance program should include reasonable policies and procedures for detecting, preventing, and mitigating identity theft and enable a financial institution or creditor to:

  • Identify relevant patterns, practices, and specific forms of activity that are "red flags" signaling possible identity theft and incorporate those red flags into the Program
  • Detect red flags that have been incorporated into the Program
  • Respond appropriately to any red flags that are detected to prevent and mitigate identity theft
  • Ensure the Program is updated periodically to reflect changes in risks from identity theft

Identify Relevant Red Flags
Under the Rule, financial institutions and creditors with covered accounts must develop a written program to identify the warning signs of identity theft.

The Guidelines describe the following categories of warning signs — red flags — that your program must identify and address:

  • alerts, notifications, or warnings from a consumer reporting agency;
  • suspicious documents;
  • suspicious personally identifying information;
  • suspicious activity relating to a covered account; or
  • notices from customers, victims of identity theft, law enforcement authorities, or other entities about possible identity theft in connection with covered accounts.

When identifying red flags, consider the nature of your business and the type of identity theft to which you might be vulnerable.

Detect Red Flags
Once you’ve identified the red flags that are relevant to your organization or business, you must establish policies and procedures to detect them in your day-to-day operations.

For example, you may spot red flags when you verify a consumer’s identity, authenticate customers, monitor transactions, or verify requests for changes of address. Some red flags may seem harmless on their own, but can signal identity theft when paired with other events, say, a change of address coupled with the use of an address associated with fraudulent accounts.
Prevent and Mitigate Identity Theft

Your program must include appropriate responses to your red flags to prevent and mitigate identity theft. These responses could include monitoring an account, closing an account, not opening a new account, contacting the consumer when you spot a red flag, or a combination. Sometimes you may determine that no response is necessary. In other cases, certain events — such as a recent data breach, a phishing fraud that targeted your business or organization, or another suspicious activity — may raise the risk of identity theft and require specific preventive actions.

Update Your Program Periodically
Because identity theft threats change, your program must describe how you will update it to ensure that you are considering new risks and trends.
Administering Your Program

No matter how good your program looks on paper, the true test is how it works. Your program must describe how it will be administered, including how you will get the approval of your management, maintain the program, and keep it current.

According to the Rule, your program must be approved by your Board of Directors or, if your business or organization doesn’t have a Board, by a senior employee. The Board or designated senior employee also must approve any material changes to the program. Your program should include staff training as appropriate, and provide a way for you to monitor the work of your service providers. The keys are to maintain oversight of the program, keep it relevant and current, and ensure that all necessary members of your staff — from the boardroom to the mail room — are on board. A program that stays in a filing cabinet isn’t a good program.

Penalties for Noncompliance
Although there are no criminal penalties for failing to comply with the Red Flags Rule, financial institutions or creditors that violate the Rule may be subject to civil monetary penalties. The FTC can seek both monetary civil penalties and injunctive relief for violations of the Red Flags Rule. Where the complaint seeks civil penalties, the U.S. Department of Justice typically files the lawsuit in federal court, on behalf of the FTC. Currently, the law sets $3,500 as the maximum civil penalty per violation. Each instance in which the company has violated the Rule is a separate violation. Injunctive relief in cases like this often requires the parties being sued to comply with the law in the future, as well as provide reports, retain documents, and take other steps to ensure compliance with both the Rule and the court order.  Failure to comply with the court order could subject the parties to further penalties and injunctive relief.


Contact ALTA at 202-296-3671 or communications@alta.org.