Are you ready? Red Flag ID theft regs must fly by Nov. 1

Editor's note: Since this article was published, the deadline for compliance has been extended to May 1, 2009.

November 1, 2008 is the deadline for compliance with the federal “Red Flag” anti-identity theft regulations. These regulations apply far more broadly than generally understood. Even if these regulations do not apply to your company specifically, they establish a good process for you to deploy to avoid becoming the source of identity theft risks for your customers and employees.

The “Red Flag” anti-identity theft rules were easy for utilities, medical care providers, automobile dealers, and general businesses to overlook. They were adopted under the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”), a statute intended generally to extend and update the Fair Credit Reporting Act. The Red Flag rules were issued jointly by various federal agencies that regulate financial institutions, including the Office of the Comptroller of the Currency, the Federal Reserve Board, and the Federal Trade Commission (“FTC”). As such, many businesses have assumed that these regulations are directed only at banks, mortgage lenders and other traditional creditors. But they are not so limited. Because the Red Flag rules define “creditor” very broadly, many other types of businesses that extend credit may need to comply.

Who must comply?

The Red Flag rules apply to any “creditor,” which means “any person or business who arranges for the extension, renewal, or continuation of credit” with a “covered account.” An “account” means a continuing relationship with a creditor to obtain a product or service and includes deferred payments for services or property as well as pure credit relationships. A “covered account” is (1) an account primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions, and (2) any other account (including an account for business purposes) for which there is a reasonably foreseeable risk to customers or the safety and soundness of the creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks. What are the Red Flag requirements?

The Red Flag rules require a creditor to develop and implement a written program having reasonable policies and procedures for detecting, preventing, and mitigating identity theft. The program must enable a creditor to:

• Periodically determine whether it offers or maintains a “covered account.”
• Identify relevant patterns, practices, and specific forms of activity that are “Red Flags” signaling possible identity theft.
• Detect when such Red Flags are occurring in the entity's business activities.
• Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft.
• Ensure the program is updated periodically to reflect changes in risks from identity theft.

Under these regulations, “identity theft” means “a fraud committed or attempted using the identifying information of another person without authority.” Identifying information means any name or number that may be used alone or in conjunction with any other information to identify a specific person, including: Social Security number; date of birth; official State or government issued driver's license or identification number; passport number; alien registration number; unique biometric data; unique electronic identification number, address, or routing code; or telecommunication identifying information or address device, etc. Thus under the Red Flag regulations, the creation of a fictitious identity using any single piece of information belonging to a real person falls within the definition of “identity theft.”

Indicators of possible risk of identity theft include precursors to identity theft such as phishing (using enticing email masquerading as legitimate communications to bait the consumer into revealing sensitive information), vishing (using social engineering and voice communications to gain access to private personal and financial information), and security breaches involving the theft of personal information, which often are a means to acquire the information of another person for use in committing identity theft. An appropriate Red Flag may consist of any number of relevant facts, such as the exhaustion of lifetime benefit limits, duplicate services, fraudulent reimbursement or insurance submissions, fraudulent utility usage, or discrepancies in information collected at the time of providing services. In order to properly define and implement its Red Flags program, creditors must learn lessons from others, keeping abreast of the identity theft environment and tapping sources such as literature and information from credit bureaus, financial institutions, other creditors, designers of fraud detection software, and the business' own experience.

Your board of directors must also become involved in your Red Flags program. Each entity that is required to implement a program must (1) obtain approval of the initial written program from either its board of directors or an appropriate committee of the board of directors and (2) involve the board of directors, an appropriate committee, or a designated employee at the level of senior management in the oversight, development, implementation, and administration of your program.

Other considerations

Your potential responsibilities under the Red Flag rules touch on other regulatory compliance issues that require careful consideration, such as whether the Equal Credit Opportunity Act may also apply to your credit activities. In addition, there is much more in the Red Flag regulations that must be done in time to meet the November 1, 2008 deadline. You may not like these new rules, but they do serve business needs as well as compliance purposes, and the potential sanctions for failure to comply make compliance the clear choice.

Special thanks to my law partner, Jennifer Karron, for her comments on this article.