New Identity Theft Rules Affect Businesses

Faced with the reality that identity theft continues to cause billions of dollars in losses for individuals and businesses each year, the Federal Trade Commission (FTC) has issued “Red Flag Rules” that are intended to fight the problem by requiring businesses to implement procedures designed to detect and respond to identity theft.

Covered Accounts
The rules apply to financial institutions and creditors with “covered accounts.” The category of financial institutions includes entities such as banks, savings and loans, and credit unions holding “transactional accounts,” meaning a deposit or other account from which the owner makes payments or transfers.

The creditor category has raised some eyebrows because it embraces some businesses that in everyday parlance may not have been considered to be creditors. Basically, a “creditor” is broadly defined as any entity that regularly extends, renews, or continues credit. For example, this means finance companies, automobile dealers, mortgage brokers, and utilities, but it also means nonprofits and governmental entities that defer payment for goods or services.
An account is a “covered account” for purposes of coverage of the new rules if it is used mostly for personal, family, or household purposes, or if it is an account for which there is a foreseeable risk of identity theft, such as small business and sole proprietorship accounts.

Entities subject to the rules must develop a written policy to identify and detect the warning signs—the “red flags” of identity theft. Detection should involve the regular review of accounts, at a minimum. The plan must describe appropriate responses to prevent or mitigate the effects of the crime. There also must be training for staff members, oversight for any service providers, and overarching management of the plan by the board of directors or senior employees of the financial institution or creditor. How extensive a plan must be will vary depending on the size of the entity and the kind of credit accounts it maintains. The new rules also mandate an annual update of the plan.

Red Flags
So just what are those red flags for possible identity theft? An exhaustive list may not be possible, but a supplement to the Red Flag Rules identifies and describes 26 separate red flags. They fall into five broader categories: (1) alerts, notifications, or warnings from a consumer reporting agency; (2) suspicious documents, including any that have signs of having been altered or forged; (3) suspicious personal identifying information, such as personal information that does not match information from external sources; (4) unusual use of, or suspicious activity relating to, a covered account, such as the use of an account that has been inactive for a long time or, more generally, any sudden and unexplained change in the patterns of activity for an account; and (5) notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts.

The consequences for not complying with the Red Flag Rules are significant. The FTC itself has provided for the potential imposition of monetary sanctions and an FTC enforcement proceeding. An even more far reaching incentive for compliance is not to be found in the fine print of the rules but is no less real: The Red Flag Rules are likely to become the prevailing standard of care for what preventive measures companies are expected to take if they hope to be able to defend themselves successfully in civil lawsuits arising out of identity theft.