Are You Ready for the Red Flags Rule?

The Red Flags Rule is a little known regulation that, effective August 1, 2009, impacts a surprisingly large number of business entities

• This article was published in the July 2009 issue of the Scottsdale Airpark News

• Special thanks to Nussbaum Gillis & Dinner, P.C. attorney Andrea Landeen for her assistance with this article

The Red Flags Rule requires that financial institutions and creditors with “covered accounts” develop and implement written identity theft prevention programs, which provide for the identification, detection, and response to patterns, practices or specific activities, or “red flags”, which could indicate identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report, attempted use of suspicious application documents, discrepancies in address history, inactive accounts that suddenly become active, or notices from identity theft victims or law enforcement agencies, among others.

Who Is Covered?

The Rule applies to any financial institution or creditor holding a covered account. A financial institution is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a “transaction account” belonging to a customer.

The Rule seems aimed at financial institutions and creditors such as banks, thrifts, credit unions, credit card companies, and auto dealers, or those creditors that utilize sensitive personal information about a consumer accessed through a credit application process and requiring the use of an individual’s credit report. However, given the broad definitions of “creditor” (any entity that defers payments for goods or services) and “covered account” (any account involving multiple transactions that is primarily used for personal purposes), the Rule will likely apply to many business in the United States.

What Is Covered?

A transaction account is a deposit or other account from which the owner makes payments or transfers. Transaction accounts include checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.

A covered account is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. Examples of covered accounts include, but are not limited to, credit card, margin, cell phone, utility, checking and savings accounts, as well as mortgage and automobile loans. A covered account is also defined to include an account for which there is a foreseeable risk of identity theft, such as small business or sole proprietorship accounts.

Is My Business Subject to the Rule?

A creditor is any entity that regularly extends, renews or continues credit, any entity that regularly arranges for the extension, renewal, or continuation of credit, or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Examples of creditors include finance companies, automobile dealers, mortgage brokers, utility companies, telecommunication companies, and even law firms. Certain law firms with individual clients who bill at the end of a period rather than through an advance deposit, will likely be subject to the Rule as “creditors” with “covered accounts.”

What Does the Rule Require?

Covered entities must develop and implement a written program that identifies and detects the relevant warning signs of identity theft by August 1, 2009. The program must describe appropriate responses that would prevent and mitigate the identity theft and provide a plan to periodically update the program. The program must be managed by an entity’s Board of Directors or senior employees of the financial institution or creditor, include appropriate staff training, and provide for oversight of any service providers.

What Are the Penalties for Noncompliance?

The FTC may impose monetary penalties of up to $2,500 per knowing violation of the Rule. Although the FTC does not yet appear to have commented on how it would calculate such penalties, it is possible that the FTC could impose a penalty of $2,500 for each covered account that a noncompliant entity maintained. Thus, even small businesses face the potential of large monetary penalties for noncompliance with the Rule.

Consequently, it is extremely important for all businesses to determine whether they are a covered entity as defined by the Rule, and if so, implement a written identity theft program.

The information you receive on this site is not, nor is it intended to be, legal advice. You should consult an attorney for individual advice regarding your own situation. Viewing the information on this website does not create an attorney-client relationship. Do not send confidential information to this firm unless you are an existing client. Any information emailed to this firm by non-clients will not create an attorney-client relationship and will not be kept confidential.