Red Flags Rule

Not to be confused with Red flag traffic laws.

The Red Flags Rule was created by the Federal Trade Commission (FTC), along with other government agencies such as the National Credit Union Administration (NCUA), to help prevent identity theft. The rule was passed in January 2008, and was to be in place by November 1, 2008, but due to push-backs by opposition, the FTC delayed enforcement until December 31, 2010.^[1]

In December 2010, the Red Flags Rule was clarified by the Red Flag Program Clarification Act of 2010 ^[2] to exclude most doctors, lawyers, and other professionals who do not receive full payment at the time when their service is furnished.

History

The Red Flags Rule was based on section 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003^[3] (FACTA).

FACTA was put in place to help

• Identity Theft Prevention and Credit History Restoration,
• Improvements in Use of and Consumer Access to Credit Information,
• Enhancing the Accuracy of Consumer Report Information,
• Limiting the Use and Sharing of Medical Information in the Financial System,
• Financial Literacy and Education Improvement,
• Protecting Employee Misconduct Investigations, and
• Relation to State Laws.^[4]

Coverage

There are two different groups that this rule applies to: Financial Institutions and Creditors.^[5] Financial institution is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a “transaction account” belonging to a consumer.^[6] FACTA’s definition of “creditor” applies to any entity that regularly extends or renews credit – or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services ^[7]

The definition of a creditor was clarified by the Red Flag Program Clarification Act of 2010.^[2] Under the Clarification Act, a creditor regularly and in the course of business:

• Obtains or uses consumer credit reports;
• Provides information to consumer reporting agencies; or
• Advances funds which must be repaid in the future (or against collateral).

This definition was further clarified United States Court of Appeals For the District of Columbia Circuit in its March 4, 2010 ruling on The American Bar Association vs. Federal Trade Commission.^[8] The court affirmed Senator Dodd's statement regarding the bill that "lawyers, doctors, ... and other service providers [are] no longer classified as 'creditors' for the purpose of the red flags rule just because they do not receive payment in full from their clients at the time they provide their services."

There are many different companies that this rule applies to: this list includes, but is not limited to finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies; or any other company that advances funds or routinely interacts with consumer credit agencies when performing a service and receiving payment once the work is complete

Elements

The Red Flags Rule sets out how certain businesses and organizations must develop, implement, and administer their Identity Theft Prevention Programs. The program must include four basic elements, which together create a framework to address the threat of identity theft.^[9][10]

The program has four elements:

1) Identify Relevant Red Flags

• Identify likely business-specific identity theft red flags

2) Detect Red Flags

• Define procedures to detect red flags in day-to-day operations

3) Prevent and Mitigate Identity Theft

• Act to prevent and mitigate harm when red flags are identified

4) Update Program

• Maintain the red flag program, including educating operational staff

The Red Flags Rules provide all financial institutions and creditors the opportunity to design and implement a program that is appropriate to their size and complexity, as well as the nature of their operations.^[6]

The red flags fall into five categories:

• alerts, notifications, or warnings from a consumer reporting agency^[6]
• suspicious documents^[6]
• suspicious identifying information, such as a suspicious address^[6]
• unusual use of – or suspicious activity relating to – a covered account^[6]
• notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts^[6]

The FTC has a created a template for businesses that can be populated to meet an individual company's needs. The template can be found on the FTC website. This template however is appropriate only for small, very low risk businesses.

Compliance

The Fair Credit Reporting Act of 1970, as amended in 2003 (FCRA), required several federal agencies to issue joint rules and guidelines regarding the detection, prevention, and mitigation of identity theft for entities that are subject to their respective enforcement authorities (also known as the “identity theft red flags rules”).^[11] Those agencies were the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Federal Reserve Board), the Federal Deposit Insurance Corporation (FDIC), the Office of Thrift Supervision (OTS), the National Credit Union Administration (NCUA), and the Federal Trade Commission (FTC) (together, the “Agencies”). In 2007, the Agencies issued joint final identity theft red flags rules.^[12]

On January 1, 2011, the FTC began enforcing its Fair and Accurate Credit Transactions Act of 2003 (FACT Act) Red Flags Rule. The Red Flags Rule requires that each "financial institution" or "creditor"—which includes most securities firms—implement a written program to detect, prevent and mitigate identity theft in connection with the opening or maintenance of "covered accounts." These include consumer accounts that permit multiple payments or transactions, such as a retail brokerage account, credit card account, margin account, checking or savings account, or any other accounts with a reasonably foreseeable risk to customers or your firm from identity theft.

On July 21, 2011, the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) transferred responsibility for rulemaking and enforcement of identity theft red flag rules and guidelines to the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) for the firms they regulate.

On April 19, 2013 the SEC and CFTC published their joint final Identity Theft Red Flags Rule and guidelines to be effective May 20, 2013, with a compliance date of November 20, 2013. The rule and guidelines do not contain requirements that were not already in the FTC Red Flags Rule and guidelines, and do not expand the scope of that rule to include new categories of entities that the rule did not already cover. They do, however, contain examples and minor language changes designed to help guide entities within the SEC's enforcement authority in complying with the rule, which may lead some entities that had not previously complied with the rule to determine that they fall within the scope of the rule that the SEC and CFTC adopted.

Red Flag Rule and identity theft

As the Red Flag rule widely defines creditors, many businesses (such as utilities) are required to collect personal information (such as SSN and Driver’s License Numbers) that are not needed for business purposes. This policy is contrary to the FTC’s advice to consumers that they should disclose their social security number to others only when absolutely necessary.^[13] This aspect of the Red Flag rule has the unintended consequences of increasing the number of business that hold consumers' Social Security numbers thereby putting consumers at greater risk for identity theft through data theft and increasing costs for businesses who are required to secure this data.

References

1. "FTC Extends Enforcement Deadline for Identity Theft Red Flags Rule". 28 May 2010.
2. "Red Flag Program Clarification Act of 2010 (2010 - S. 3987)".
3. "Agencies Issue Final Rules on Identity Theft Red Flags and Notices of Address Discrepancy". 31 October 2007.
4. FAIR AND ACCURATE CREDIT TRANSACTIONS ACT OF 2003, Public, vol. Law 108-159, 108th Congress, retrieved 2009-02-02
5. "Red Flag Regulations Require Financial Institutions and Creditors to Have Identity Theft Prevention Programs". 8 July 2008.
6. "New ?Red Flag? Requirements for Financial Institutions and Creditors Will Help Fight Identity Theft". Archived from the original on 2008-08-13. Retrieved 2009-07-09.
7. "FTC Will Grant Three-Month Delay of Enforcement of Red Flags Rule Requiring Creditors and Financial Institutions to Adopt Identity Theft Prevention Programs". 30 April 2009.
8. http://www.ama-assn.org/ama1/pub/upload/mm/399/aba-versus-ftc.pdf ^{[dead link]}
9. "Archived copy" (PDF). Archived from the original (PDF) on 2009-08-13. Retrieved 2009-07-09.
10. “Identity theft” means a fraud committed or attempted using the identifying information of another person without authority. See 16 C.F.R. § 603.2(a). “Identifying information” means “any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including any – (1) Name, Social Security number, date of birth, official State or government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number; (2) Unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation; (3) Unique electronic identification number, address, or routing code; or (4) Telecommunication identifying information or access device (as defined in 18 U.S.C. 1029(e)).” See 16 C.F.R. § 603.2(b).
11. See FCRA §§ 615(e)(1)(A)–(B), 15 U.S.C. 1681m(e)(1)(A)–(B).
12. See Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate Credit Transactions Act of 2003, 72 FR 63718 (Nov. 9, 2007).
13. ftc.gov. "Deter Minimize Your Risk". Archived from the original on 2011-10-13. Retrieved 2011-10-14.