Identity Theft: Red Flag Regulations and Guidelines

March 2009

Lalitha Rao, Esq.
Jay Peabody, Esq.

Summary and Recommendations
Compliance by May 1, 2009

In November 2007, the Federal Trade Commission (“FTC”), National Credit Union Administration and various federal bank regulatory agencies jointly issued final rules and guidelines known as the “Red Flags Rule” implementing Sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003. The Red Flags Rule requires that “financial institutions” and “creditors” that offer or maintain one or more “covered accounts” must develop and implement a written identity theft prevention program (“Program”). The Program must be designed to detect, prevent, and mitigate identity theft in connection with the opening or maintenance of such covered accounts. Organizations should design the Program based on their size and complexity as well as the nature and scope of their activities.

Identity Theft
Identity theft refers to a fraud that is committed or attempted by using the identifying information of another person. Identifying information includes any name or number that may be used in conjunction with other information to identify a specific person. This includes one’s social security number, driver’s license number, electronic identification number or fingerprint. If even a single piece of a person’s identifying information is used to create a fictitious identity, it is an example of identity theft.

Which entities must comply with the Red Flags?
The Red Flags Rule applies to “financial institutions and creditors that offer or maintain covered accounts”. Financial institutions include State and Federal banks, savings and loan associations, credit unions and mutual savings banks. Creditors are organizations that regularly extend, renew, or continue credit. Some examples of creditors are finance companies, automobile dealers, mortgage brokers, utility companies, telecommunications companies, third-party debt collectors and any other entity that defers payments for goods or services.

As such, the following organizations should be aware that they may need to comply with the Red Flags Rule: Federal and State banks, Federal and State credit unions, mutual savings banks, non-bank lenders, mortgage brokers, automobile dealers, utility companies, telecommunications companies, universities, hospitals, non-profit and government entities¹, and any other entity that regularly participates in a credit decision, including setting the terms of credit.

There are two types of covered accounts. The first type of covered account includes accounts that are for personal, family or household purposes that are designed to permit multiple payments or transactions. These include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, or savings accounts. The second type of covered account is defined very broadly as, “any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft.” This is meant to cover other accounts that may be vulnerable to identity theft, such as small business accounts or sole proprietorship accounts. Financial institutions and creditors should periodically determine whether they maintain these covered accounts.

Elements of the Program
Programs should be designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The Program should be tailored to fit the particular organization’s: 1) size, 2) complexity and 3) nature of operations. As applicable, organizations can incorporate their existing policies and procedures that control reasonably foreseeable risks of identity theft into the Program.

Each organization’s Program must be in writing and must contain policies and procedure to address the following four requirements:

1. Identify Red Flags

A “Red Flag” is a pattern, practice, or specific activity that indicates the possible existence of identity theft. Organizations should identify relevant Red Flags based on their own experiences with identity theft and applicable supervisory guidance. The Red Flags Rule provides a list of illustrative examples of Red Flags, which organizations may incorporate into their Program.

When identifying Red Flags, organizations should consider the types of covered accounts maintained and the methods for opening and accessing these accounts. As applicable, organizations should identify Red Flags in the following five categories:

Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services (e.g., a consumer reporting agency provides a notice of address discrepancy);
The presentation of suspicious documents (e.g., an application appears to have been altered or forged);
The presentation of suspicious personal identifying information (e.g., The SSN provided is the same as that submitted by other persons opening an account or other customers);
The unusual use of, or other suspicious activity related to, a covered account (e.g., A material change in purchasing or spending patterns); and
Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the financial institution or creditor.

2. Detect Red Flags

The Program should detect Red Flags in connection with opening, maintaining and accessing a covered account. This may include obtaining identifying information about, and verifying the identity of, a person opening a covered account. It can also include authenticating customers, monitoring transactions, and verifying the validity of change of address requests.

3. Respond to Red Flags

Once a Red Flag is detected, an organization should evaluate the degree of risk and the nature of the information in determining the appropriate response. Among other responses, an organization can respond by:

Contacting the customer
Changing any passwords, security codes, or other security devices that permit access to a customer’s account
Reopening an account with a new account number
Not opening a new account
Closing an existing account
Not attempting to collect on a covered account or not selling a covered account to a debt collector
Notifying law enforcement
Determining that no response is warranted under the circumstances

4. Update the Program

A Program should be updated periodically, to reflect changes in risks to customers. In determining when to update their Program, organizations should consider the following:

Changes in methods of identity theft
Changes in methods to detect, prevent, and mitigate identity theft
Changes in the types of accounts offered and maintained
Changes in the business arrangements of the entity (including mergers, acquisitions, alliances, joint ventures, and service provider arrangements)

Administration of the Program
The initial Program must be approved by the organization’s board of directors, an appropriate committee of the board of directors, or a designated employee at the level of senior management. All staff must be trained, as needed, during implementation of the Program. Ongoing administration and maintenance of the Program should be done by the board of directors or a designated committee or employee.

Service Providers
Any organization that must comply with the Red Flags Rule is responsible for exercising appropriate and effective oversight of third party service providers. Third party service providers may be responsible for a number of activities related to the financial institutions and creditors and thus, may have access to customer information. The Red Flags Rule makes it clear that financial institutions and creditors cannot escape their compliance obligations by outsourcing an activity, but do not put any specific requirements as to how service provider arrangements should be managed.

Thus, financial institutions and creditors have flexibility in managing these service provider arrangements. At a minimum, a financial institution or creditor should require the service provider, by contract, to have policies and procedures to detect relevant Red Flags that may arise in the performance of the service provider’s activities and report the Red Flags to the financial institution or creditor and take other appropriate steps to prevent or mitigate identity theft.

Implementation and Compliance
The FTC does not mandate any specific language, policies or procedures that must be included in a Program. Rather, as long as an organization complies with the basic requirements mandated by the Red Flags Rule, each organization has the flexibility to tailor its Program to fit such organization’s size and complexity, and the scope and nature of its operations. When monitoring compliance with the Red Flags Rule, the FTC will be looking for a good faith, reasonable effort by an organization to comply with such Rule.

Note: The FTC may impose civil penalties up to $2,500 per violation for knowing violations of the Red Flags Rule that constitute a pattern or practice. If the FTC deems a violation of the Red Flags Rule is unfair and deceptive, the FTC may use its adjudicatory authority to issue a cease and desist order against an organization.

Note: Other regulations have provisions similar to the Red Flags Rule described herein. Organizations that comply with the regulations below may be in compliance with a number of the requirements listed in the Red Flags Rule.

Gramm- Leach-Bliley Act
The Gramm-Leach-Bliley Act applies to banks, credit unions, brokers, investment companies and advisers, and insurance companies. These organizations have an affirmative and continuing obligation to respect the privacy of their customers and to protect the security and confidentiality of those customers’ nonpublic personal information.

Patriot Act
Section 326 of the Patriot Act applies to banks, credit unions, insurance companies, investment companies and other financial institutions. These institutions must verify the identity of any person seeking to open an account, maintain records of the information used to verify the person’s identity, and determine whether the person appears on any terrorist lists provided to the institution by any government agency.

Massachusetts General Law 93H, Security Breaches
This law applies to any person that owns or licenses personal information about a Massachusetts resident. There should be policies and procedures that safeguard the personal information of such residents. Note that on February 12, 2009, the MA Office of Consumer Affairs and Business Regulation issued new regulations on identity theft. The regulations will take effect January 1, 2010, and mandate that personal information be encrypted when stored on portable devices, or transmitted wirelessly or on public networks.

Rhode Island General Law §11-49.2, Identity Theft Protection
This law applies to any business that retains computerized unencrypted personal information of Rhode Island residents as part of the business’ internal customer account or for the purpose of using that information in transactions with the person to whom the information relates. These businesses shall implement and maintain reasonable security procedures and practices to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

¹The FTC in a recent business alert stated “where non-profit and government entities defer payment for goods and services, they to, are to be considered creditors.”

Email page

Client Alerts Articles Press Releases	Identity Theft: Red Flag Regulations and Guidelines March 2009 Lalitha Rao, Esq. Jay Peabody, Esq. Summary and Recommendations Compliance by May 1, 2009 In November 2007, the Federal Trade Commission (“FTC”), National Credit Union Administration and various federal bank regulatory agencies jointly issued final rules and guidelines known as the “Red Flags Rule” implementing Sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003. The Red Flags Rule requires that “financial institutions” and “creditors” that offer or maintain one or more “covered accounts” must develop and implement a written identity theft prevention program (“Program”). The Program must be designed to detect, prevent, and mitigate identity theft in connection with the opening or maintenance of such covered accounts. Organizations should design the Program based on their size and complexity as well as the nature and scope of their activities. Identity Theft Identity theft refers to a fraud that is committed or attempted by using the identifying information of another person. Identifying information includes any name or number that may be used in conjunction with other information to identify a specific person. This includes one’s social security number, driver’s license number, electronic identification number or fingerprint. If even a single piece of a person’s identifying information is used to create a fictitious identity, it is an example of identity theft. Which entities must comply with the Red Flags? The Red Flags Rule applies to “financial institutions and creditors that offer or maintain covered accounts”. Financial institutions include State and Federal banks, savings and loan associations, credit unions and mutual savings banks. Creditors are organizations that regularly extend, renew, or continue credit. Some examples of creditors are finance companies, automobile dealers, mortgage brokers, utility companies, telecommunications companies, third-party debt collectors and any other entity that defers payments for goods or services. As such, the following organizations should be aware that they may need to comply with the Red Flags Rule: Federal and State banks, Federal and State credit unions, mutual savings banks, non-bank lenders, mortgage brokers, automobile dealers, utility companies, telecommunications companies, universities, hospitals, non-profit and government entities¹, and any other entity that regularly participates in a credit decision, including setting the terms of credit. There are two types of covered accounts. The first type of covered account includes accounts that are for personal, family or household purposes that are designed to permit multiple payments or transactions. These include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, or savings accounts. The second type of covered account is defined very broadly as, “any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft.” This is meant to cover other accounts that may be vulnerable to identity theft, such as small business accounts or sole proprietorship accounts. Financial institutions and creditors should periodically determine whether they maintain these covered accounts. Elements of the Program Programs should be designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The Program should be tailored to fit the particular organization’s: 1) size, 2) complexity and 3) nature of operations. As applicable, organizations can incorporate their existing policies and procedures that control reasonably foreseeable risks of identity theft into the Program. Each organization’s Program must be in writing and must contain policies and procedure to address the following four requirements: 1. Identify Red Flags A “Red Flag” is a pattern, practice, or specific activity that indicates the possible existence of identity theft. Organizations should identify relevant Red Flags based on their own experiences with identity theft and applicable supervisory guidance. The Red Flags Rule provides a list of illustrative examples of Red Flags, which organizations may incorporate into their Program. When identifying Red Flags, organizations should consider the types of covered accounts maintained and the methods for opening and accessing these accounts. As applicable, organizations should identify Red Flags in the following five categories: Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services (e.g., a consumer reporting agency provides a notice of address discrepancy); The presentation of suspicious documents (e.g., an application appears to have been altered or forged); The presentation of suspicious personal identifying information (e.g., The SSN provided is the same as that submitted by other persons opening an account or other customers); The unusual use of, or other suspicious activity related to, a covered account (e.g., A material change in purchasing or spending patterns); and Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the financial institution or creditor. 2. Detect Red Flags The Program should detect Red Flags in connection with opening, maintaining and accessing a covered account. This may include obtaining identifying information about, and verifying the identity of, a person opening a covered account. It can also include authenticating customers, monitoring transactions, and verifying the validity of change of address requests. 3. Respond to Red Flags Once a Red Flag is detected, an organization should evaluate the degree of risk and the nature of the information in determining the appropriate response. Among other responses, an organization can respond by: Contacting the customer Changing any passwords, security codes, or other security devices that permit access to a customer’s account Reopening an account with a new account number Not opening a new account Closing an existing account Not attempting to collect on a covered account or not selling a covered account to a debt collector Notifying law enforcement Determining that no response is warranted under the circumstances 4. Update the Program A Program should be updated periodically, to reflect changes in risks to customers. In determining when to update their Program, organizations should consider the following: Changes in methods of identity theft Changes in methods to detect, prevent, and mitigate identity theft Changes in the types of accounts offered and maintained Changes in the business arrangements of the entity (including mergers, acquisitions, alliances, joint ventures, and service provider arrangements) Administration of the Program The initial Program must be approved by the organization’s board of directors, an appropriate committee of the board of directors, or a designated employee at the level of senior management. All staff must be trained, as needed, during implementation of the Program. Ongoing administration and maintenance of the Program should be done by the board of directors or a designated committee or employee. Service Providers Any organization that must comply with the Red Flags Rule is responsible for exercising appropriate and effective oversight of third party service providers. Third party service providers may be responsible for a number of activities related to the financial institutions and creditors and thus, may have access to customer information. The Red Flags Rule makes it clear that financial institutions and creditors cannot escape their compliance obligations by outsourcing an activity, but do not put any specific requirements as to how service provider arrangements should be managed. Thus, financial institutions and creditors have flexibility in managing these service provider arrangements. At a minimum, a financial institution or creditor should require the service provider, by contract, to have policies and procedures to detect relevant Red Flags that may arise in the performance of the service provider’s activities and report the Red Flags to the financial institution or creditor and take other appropriate steps to prevent or mitigate identity theft. Implementation and Compliance The FTC does not mandate any specific language, policies or procedures that must be included in a Program. Rather, as long as an organization complies with the basic requirements mandated by the Red Flags Rule, each organization has the flexibility to tailor its Program to fit such organization’s size and complexity, and the scope and nature of its operations. When monitoring compliance with the Red Flags Rule, the FTC will be looking for a good faith, reasonable effort by an organization to comply with such Rule. Note: The FTC may impose civil penalties up to $2,500 per violation for knowing violations of the Red Flags Rule that constitute a pattern or practice. If the FTC deems a violation of the Red Flags Rule is unfair and deceptive, the FTC may use its adjudicatory authority to issue a cease and desist order against an organization. Note: Other regulations have provisions similar to the Red Flags Rule described herein. Organizations that comply with the regulations below may be in compliance with a number of the requirements listed in the Red Flags Rule. Gramm- Leach-Bliley Act The Gramm-Leach-Bliley Act applies to banks, credit unions, brokers, investment companies and advisers, and insurance companies. These organizations have an affirmative and continuing obligation to respect the privacy of their customers and to protect the security and confidentiality of those customers’ nonpublic personal information. Patriot Act Section 326 of the Patriot Act applies to banks, credit unions, insurance companies, investment companies and other financial institutions. These institutions must verify the identity of any person seeking to open an account, maintain records of the information used to verify the person’s identity, and determine whether the person appears on any terrorist lists provided to the institution by any government agency. Massachusetts General Law 93H, Security Breaches This law applies to any person that owns or licenses personal information about a Massachusetts resident. There should be policies and procedures that safeguard the personal information of such residents. Note that on February 12, 2009, the MA Office of Consumer Affairs and Business Regulation issued new regulations on identity theft. The regulations will take effect January 1, 2010, and mandate that personal information be encrypted when stored on portable devices, or transmitted wirelessly or on public networks. Rhode Island General Law §11-49.2, Identity Theft Protection This law applies to any business that retains computerized unencrypted personal information of Rhode Island residents as part of the business’ internal customer account or for the purpose of using that information in transactions with the person to whom the information relates. These businesses shall implement and maintain reasonable security procedures and practices to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. ¹The FTC in a recent business alert stated “where non-profit and government entities defer payment for goods and services, they to, are to be considered creditors.”	Email page Print
Copyright © 2012. Partridge Snow & Hahn LLP. All rights reserved. Disclaimer

News

Identity Theft: Red Flag Regulations and Guidelines

[close]Email this page