The Red Flag Rule, Delayed Enforcement and Amendments

It has been estimated that up to nine million Americans are victims of identity theft each year. However, consumers are largely unable to prevent or detect identity theft, rather depend on businesses and organizations to spot anomalies. For this reason, the Red Flags Rule was developed in order to spot warning signs (“red flags”), prevent identity theft and limit the damage that may be done. This article takes a closer look at the Red Flags Rule, as well as a recently introduced bill that may have important implications for the Rule.

Background: The Red Flags Rule
The FTC’s Identity Theft Red Flags Rule became effective on January 1, 2008. It was then delayed and the FTC set a target date for enforcement as of December 31, 2010. The reason for the delay was to give Congress enough time to finalize legislation limiting the scope of businesses covered by the Red Flags Rule. Any legislation passed by Congress limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010 will be enforced by the FTC as of that date.

The Red Flags Rule was developed under the Fair and Accurate Credit Transactions Act (FACTA), which requires the FTC, amongst other agencies, to develop regulations that require creditors and financial institutions to address the risk of identity theft. FACTA addressed the need for businesses to be involved in identity theft protection. It obliges financial institutions, creditors and other businesses that use consumer reports to detect and resolve identity theft-related fraud.

What are the “red flags”?
The Red Flags Rule requires businesses and organizations to implement a formal Identity Theft Prevention Program. Such a program should detect the “red flags,” or warning signs that identity theft may be taking place. Red flags are defined as “suspicious patterns or practices, or specific activities, that indicate the possibility of an identity theft.”

The Rule sets out that the Identity Theft Prevention Program be composed of the following four elements:

1. Identify relevant red flags: The Program should be made up of policies and procedures for identifying red flags during day-to-day operations.

2. Detect red flags: The Program should be designed to detect the red flags that have been identified.

3. Prevent and mitigate identity theft: The Program must outline appropriate actions for dealing with red flags.

4. Update the Program: The Program should periodically be re-evaluated, in order to appropriately address the evolving threat of identity theft.

When identifying red flags, it is important for the business or organization to consider the types of accounts that it offers or maintains; how these accounts are opened; and how customers have access to these accounts. There are five categories of common red flags, as outlined below:

Alerts, Notifications and Warnings from a Credit Reporting Company. Changes in credit reports or credit activity may point towards identity theft. Such changes may include: a fraud alert on a credit report; notice of address discrepancy; or a notice of a credit freeze when a credit report is requested.

Suspicious Documents. Examples include: altered/forged identification; inconsistencies between the person presenting the ID and the photo/physical description on the ID; or applications that appear altered/forged.

Suspicious Personal Identifying Information. This may include: inconsistencies with other personally identifying information; fraudulent addresses, phone numbers, etc.; contact information that have been used by other individuals to open accounts; or a person who is unable to provide authenticating information.

Suspicious Account Activity. Usage of the account can also signal fraud. For example: an account that is being used inconsistently; new accounts that are used in ways generally associated with fraud; inactive accounts are suddenly being used; or information regarding unauthorized charges on the account.

Notice from Other Sources. Information that an account is being used fraudulently may come from customers, victims or identity theft, law enforcement authorities, etc.

Who is covered by the Red Flags Rule?
The Red Flags Rule applies to financial institutions and creditors. Under the Rule, a financial institution includes:
• A state or national bank
• A state or federal savings and loan association
• A mutual savings bank
• A state or federal credit union
• Any entity that directly or indirectly holds a transaction account that belongs to a consumer

Under the rule, creditors are defined as:
• Businesses or organizations which provide goods or services to customers first and allow them to pay later. Examples include: utilities, health care providers, lawyers, accountants and telecommunications companies.
• Businesses or organizations that grant or arrange loans; extend credit; and make credit decisions. Examples include: finance companies, mortgage brokers, auto dealers, retailers that offer financing and retailers that collect/process credit applications for third parties.
• Anyone who participates in decisions to extend, renew, continue credit, or in setting the terms of credit. Examples would include third-party debt collectors who negotiate the terms of the debt.

According to the FTC, businesses or organizations that have a low risk of identity theft are permitted to complete a do-it-yourself prevention guide. Risk is assessed through the following questions:
1. Do you know your clients personally?
2. Do you usually provide your services at customers’ homes?
3. Have you ever experienced an incident of identity theft?
4. Are you in a business where identity theft is uncommon?

H.R. 6420
The Red Flag Program Clarification Act of 2010 (also referred to as H.R.6420) was first introduced on November 17, 2010 by Representative John Adler (D-NJ). The H.R. 6420 was drafted to “amend the Fair Credit Reporting Act (FCRA) with respect to the applicability of identity theft guidelines to creditors.” The objective of the bill is to limit the scope of the FTC Identity Theft Red Flags Rule.

The H.R. 6420 would limit the definition of “creditor” to exclude those “that advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.” This definition would also apply to other creditors, if “such creditor offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft.” The H.R. 6420 was developed in order to respond to concerns that the current definition of “creditor” extends the scope of the Red Flag Rule inappropriately. A number of members of Congress voiced their concern that the Rule may include attorneys, law firms and health providers.

This article takes a look at the Red Flag Rule, which was developed under the FACTA (Fair and Accurate Credit Transactions Act). The purpose of the Rule was to ensure that businesses and organizations were taking the appropriate steps to prevent and respond to identity theft. Although the Rule became effective on January 1, 2008, its enforcement date has been repeatedly been postponed. Currently, the FTC must begin enforcing the Rule on December 31, 2010. This delay is due to the amendments that have been made to the Rule, the most recent being the H.R. 6420, or the Red Flag Program Clarification Act of 2010.

CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional (CIPP) exam, a privacy professional should be comfortable with topics related to this post, including:
• Regulatory Authorities – Federal Trade Commission (CIPP; I.A.c.i.)
• Fair Credit Reporting Act of 1970 (CIPP; I.B.a.v.1.)
• Fair and Accurate Credit Transactions Act of 2003 (CIPP; I.B.a.v.1.)
• Incident Response Programs (CIPP; II.C.c.)


1 comment to The Red Flags Rule, Delayed Enforcement and Amendments

  • IDTheftReview

    Prevention of identity theft should be a team work from individuals, companies as well as the government. Providing policies like this can be very useful especially in providing the public with information that may help them recognize and terminate possible identity theft. In that way, identity theft may shrink in terms of incidences.

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>