With losses to consumers and businesses from identity theft running into the billions of dollars each year, the government has sounded the alarm for more aggressive protection. In November 2007, with much fanfare, federal banking regulators and the Federal Trade Commission (FTC) unveiled new regulations requiring financial institutions and creditors to implement comprehensive programs to protect consumers from identity theft. These so-called "Red Flags Rules" also include a special requirement for credit and debit card issuers to validate change of address notices which are followed by a request for an additional or replacement card.
Overall, the Red Flags Rules do not require traditional financial institutions and creditors, like banks and credit card issuers, to do much more than they should already be doing -- i.e., systematically assess and manage risks across their range of customer interactions to protect individuals and reduce fraud losses by detecting, preventing and mitigating identity theft. All that said, awareness of the new rules may relieve consumer anxiety and confusion and help communication with banks and creditors if a “red flag” scenario arises. (And, as we shall see, the Red Flags Rules apply to a wide spectrum of businesses in addition to banks and credit card companies.)
The FTC and five federal regulatory agencies (the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the Federal Reserve Board, the Office of Thrift Supervision, and the National Credit Union Association) collaborated to develop the Red Flags Rules as mandated by the 2003 Fair and Accurate Credit Transactions Act. Broadly speaking, the Rules require "financial institutions" and “creditors” with "covered accounts" to develop and implement a formal written program that effectively identifies and detects warning signs ("red flags") of identity theft and provides for appropriate responses to red flags when detected. Some obvious examples of red flags are account activity that is unusual or inconsistent with past use, presentation of suspicious (e.g., altered) account application documents, a fraud alert on a credit report, or a notice from a customer, identity theft victim or law enforcement agency. Appropriate responses to red flags depend on the facts of each situation. For example, if a credit card company detects unusual activity on an account, it could notify the customer, monitor the account for further anomalies, put a freeze on the account, close the account and reopen it after connecting with the customer, or some combination or sequence of these responses.
Consumers should also know that "creditors" subject to the Red Flags Rules include not just their mortgage and credit card lenders, but any business, non-profit organization or government agency that regularly extends, renews or continues credit or arranges for any of these activities. Credit is broadly interpreted to mean the deferral of payment for goods or services, so that entities outside the financial industry, such as utility companies, mobile telecommunications providers, law firms and health care providers are potentially covered by the Rules. This is an important fact because, while banks and other regulated financial institutions and creditors were required to have their identity theft programs in place by November 1, 2008, the FTC, which is tasked with enforcing the Rules for other types of businesses, has repeatedly delayed enforcement to give these businesses more time to determine if they are covered and, if so, to prepare their identity theft programs. As of this moment, the FTC will not begin enforcement until August 1, 2009.
The Red Flags Rules apply to financial institutions and creditors with "covered accounts," which are defined as accounts used primarily for consumer (i.e., personal, family or household) purposes and allowing multiple payments or transactions. Credit card accounts, margin accounts, utility accounts and cell phone accounts, as well as checking and savings accounts, all fall into this category. A covered account may also be any other type of account for which there is a foreseeable risk of identity theft. Thus, a small business or sole proprietor account which is linked with the personal information of the principal will likely be a covered account. Financial institutions and creditors must conduct a self-assessment to determine whether or not they have covered accounts.
Organizations covered by the Rules have flexibility to define their own red flags as appropriate, provided that their way of choosing is reasonable. There is no "one size fits all" approach; each identity theft prevention program must take into account the organization’s size and complexity and the nature and scope of its operations. However, at a minimum, each program must be initially approved by the organization's board of directors or a board committee, must have official oversight, must include training of appropriate staff and oversight of service providers who have contact with covered accounts, and must be periodically updated to address changing risks.
The Red Flags Rules, in effect, set up an early warning system for detecting possible identity theft. Consumers who suspect that their personal information may have been compromised or that they are victims of identity theft should contact their banks and creditors and the credit reporting agencies immediately, since the information they communicate will raise one or more red flags that, in turn, will require an appropriate response from the banks and creditors to mitigate the risk of further harm. Likewise, consumers should immediately cooperate with requests for information from financial institutions and creditors investigating suspicious activity, as they are likely responding to red flags.
While the identification of red flags is largely left up to businesses, Congress specifically required the FTC and the regulatory agencies to prescribe a rule for one particular red flag which is strongly correlated with identity theft in the credit and debit card world. Card issuers must have reasonable policies and procedures to assess the validity of a change of address notice followed within 30 days by a request for an additional or replacement card on the same account. The card issuer may not issue the new card within the first 30 days after the change of address notice unless the cardholder has been notified of the request and given a reasonable means to respond, or the card issuer assesses the validity of the address change request through some other mechanism. Written notices to cardholders in connection with the validation process must be clear and conspicuous and must be provided separately from regular correspondence, such as normal customer mailings.
While the sentiment behind the Red Flags Rules is laudable enough, it is unclear how much extra benefit they will bring consumers in the fight against identity theft. Banks and credit card companies already have an incentive to detect and prevent identity theft as early as possible, since fraud losses and the costs of notifying customers and closing and reopening accounts drop directly to their bottom line. Furthermore, the Red Flags Rules do not do much more than prescribe and formalize a system of risk assessment and management that their regulators already require. A soundly run bank or credit card company already has this system in place, and thus compliance becomes purely a matter of delivering to the regulators a suitable board-approved document entitled “Red Flags Identity Theft Program” along with its appropriate administrator. (With that said, as the events of the last year prove, soundly run banks and financial institutions should have been doing a lot of things that they did not, in fact, do.) The Red Flags Rules should catch the laggards, along with all of those organizations outside the federal regulatory umbrella who are unaware they are creditors and have covered accounts that are at risk for identity theft.
As the world is full of scheming fraudsters and the new rules are flexible and generally aligned with businesses' self-interest, a little extra protection is better than nothing, even if the cost is more paper.
Andrew M. Baer is an attorney with long experience in technology, e-commerce and information security matters relating to credit and the financial industry. He is the founder of Baer Business Law, LLC (www.baerbizlaw.com), a Philadelphia firm focused on providing cost-efficient business counseling, contracting, technology and intellectual property law services.
Labels: Identity Theft
