The “Red Flag” Rule requires financial institutions and creditors to develop and implement written identity theft prevention programs, as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003. An important note is that every business should review its billing and payment procedures to determine if it’s covered by the Red Flags Rule. Whether the law applies to your company isn’t based on your status of a financial institution, but rather on whether your activities fall within the law’s definition of two key terms: creditor and covered account.
- A creditor is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. Creditors include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Where non-profit and government entities defer payment for goods or services, they, too, are to be considered creditors. Most creditors, except for those regulated by the Federal bank regulatory agencies and the NCUA, come under the jurisdiction of the FTC.
- A covered account is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. A covered account is also an account for which there is a foreseeable risk of identity theft- for example, small business or sole proprietorship accounts.
The prevention program must provide for the identification, detection, and response to patterns, practices, or specific activities– known as “red flags” which could indicate identity theft. The program should also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program (keep it current). Program management must be handled by the Board of Directors or senior employees of the financial institution or creditor.
Although the Red Flags Rule has been in effect since January 1, 2008, active enforcement by the Federal Trade Commission, the federal bank regulatory agencies, and the National Credit Union Administration was set to begin on May 1, 2009. There has been ongoing confusion with application of the law, so consequently the May date was delayed until August 1, 2009 and now that date has been further delayed until November 1, 2009.
There are in fact penalties for noncompliance, both monetary civil penalties and injunctive relief for violations of the Rule.
For more about the Red Flags Rule, please contact your compliance advisor at 800-817-7678.