United States: Federal Law Requires Businesses To Implement Formal Identity Theft Prevention Programs

A recent wave of class action lawsuits was aimed at the widespread failure of U.S. retailers to comply with the credit card redaction provisions of the Fair and Accurate Credit Transactions Act (FACTA). FACTA has returned, poised to cause a new generation of challenges for businesses with regulations that are commonly known as the "Red Flags Rule." FACTA applies the Red Flags Rule to any business that allows a consumer to pay for property or services after the property is conveyed or the services are rendered.

The Red Flags Rule Requires Identity Theft Programs

The purpose of the Red Flags Rule is to require businesses to establish procedures to detect identity theft and minimize the damage that identity theft causes. The Red Flags Rule, issued jointly by the Federal Trade Commission (FTC), U.S. Department of the Treasury, Federal Reserve System, Federal Deposit Insurance System and National Credit Union Administration, requires organizations that maintain "covered accounts" to implement a written identity theft prevention program by August 1, 2009. The deadline may be extended by the FTC, but the requirement will not go away and business should be prepared.

FACTA applies the Red Flags Rule to any business that allows a consumer to pay for property or services after the property is conveyed or the services are rendered. In addition to financial institutions, such as banks and savings and loan associations, FACTA applies to any entity that regularly extends, renews or continues credit. (Credit is defined as the right granted by a creditor to a debtor to purchase property or services and defer payment for such purposes.)

Challenges Organizations Face in Compliance

Organizations that are subject to the Rule should be aware of at least three practical challenges when endeavoring to comply.

First, the Red Flags Rule is complex (as a result of guidelines developed by the FTC), involving approximately 26 separate requirements that may or may not apply to different business lines.

Second, the range of businesses subject to the Rule is expansive. As mentioned above, FACTA applies not only to financial institutions and businesses traditionally regulated by the FTC, but also to "creditors" such as utilities, finance companies, mortgage companies, telecommunication companies, any retailers with credit sales, and even physicians and hospitals with patient accounts.

Third, the enforcement policy is already in place, and the current deadline for compliance is August 1, 2009. This means that the plaintiffs' class action bar is geared up for another round of FACTA lawsuits against businesses that ignore or misapply the Red Flags Rule.

Requirements of the Red Flags Rule

There are two components to the Red Flags Rule: the implementation of policies and procedures to respond to address discrepancies contained in consumer reports, which the Red Flags Rule has required since November 1, 2008; and a written identity theft prevention program, which is described in further detail below.

Identity Theft Program

The Red Flags Rule requires creditors that maintain "covered accounts" to establish a written identity theft prevention program containing policies and procedures that are designed to identify patterns, practices or activities that indicate possible identity theft (Red Flags) that are relevant to the creditor's activities; incorporate Red Flags into the creditor's program; detect Red Flags recurring in the creditor's program; respond appropriately to Red Flags to prevent and mitigate identity theft; and ensure that the policies and procedures are updated periodically.

A "covered account" is defined as an account that a "creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions," and any other account that a "creditor offers or maintains for which there is a reasonably foreseeable risk to consumers or to the safety and soundness" of the creditor "from identity theft, including financial, operational, compliance, reputation, or litigation risks."

As part of the requirements for a formal program in writing, the organization's board of directors, or designated senior management employee in the absence of a board, must approve the initial program, and must be involved in the oversight and administration of the program. To add to the burdens, the program must provide for employee training to implement the program successfully, and effective oversight of any third-party service provider arrangements.

Some Practical Guidelines on Compliance with the Red Flags Rule

Although there are consultants happy to assist with the mechanical aspects of compliance with the Red Flags Rule, your organization may need careful legal advice to understand whether and how the Rule applies to your business, and what is required to avoid penalties and lawsuits. The following are some practical guidelines to assist your organization in initiating a plan to develop a program and otherwise comply with the Red Flags Rule.

• Assemble a team of individuals empowered to act on behalf of your organization, including compliance, legal, business/operations, and others who are familiar with your payment and credit operations.
• Determine whether your organization offers or maintains covered accounts. If so, examine the covered accounts to determine how and when products or services are delivered and charged, and the Red Flags that are relevant to those accounts.
• Address how identified Red Flags should be detected and resolved. The methods developed to detect and resolve Red Flags should be appropriate for the Red Flags identified.
• Include appropriate responses to Red Flags that will assist in identity theft prevention.
• Conduct an annual risk assessment to determine whether the program requires revision to reflect changes in the risks to the organization and its clients.
• Involve the board or a senior management employee to oversee the program, including maintaining documentation that demonstrates such involvement and oversight (e.g., board meeting minutes reviewing the program, copies of program reports that the board reviewed).
• Train employees on relevant components of the Red Flags Rule and how to detect and address Red Flags. Document the content and participants of employee training.
• Monitor service providers that have access to covered accounts in their performance of services for your organization. Require those providers to have a program in place that is relevant to the services they furnish

The Red Flags Rule is intended to be scalable and flexible to accommodate an organization's specific business practices. Recently, the FTC published step-by-step guidance to help an organization determine if it is at low-risk for identity theft. The FTC materials offer examples of practices that may indicate that an entity is at low risk for identity theft. For instance, a sole proprietor who knows all of his or her customers is at lower risk of identity theft than an entity that does not have personal contact with its customers.

For those entities that conclude they are at low-risk, the FTC offers a sample template that, once completed, can be saved and printed out to be used as a policy. While not a solution for every entity, for those that are at low-risk, the materials may be a relatively simple way to create a compliance program. The materials are available on the FTC's Red Flags Rule microsite.

The McDermott Difference

We have considerable experience with FACTA compliance and litigation and are available to talk with you about whether and how the Red Flag Rules apply to your business and how to develop a compliance program.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.