The compliance deadline for the so-called Red Flag Rules that require financial institutions and creditors to have written programs in place to detect, prevent, and mitigate consumer identity theft, is just around the corner.
But, while compliance with the regulations shouldn’t be overly burdensome for most companies, many of them won’t be ready because they’re not even aware that the rules apply to them, observers tell Compliance Week.
Goodman
“In my experience, medium and small businesses don’t have this on their radar yet,” says Eduard Goodman, general counsel and chief privacy officer of Identity Theft 911. “They have no idea this is something they’ve got to comply with.”
The regulations, which were issued by the Federal Trade Commission, federal bank regulatory agencies, and the National Credit Union Administration last year as required by the Fair and Accurate Credit Transactions Act, took effect Jan. 1, 2008.
The FTC estimates the rules will affect more than 11 million creditors and financial institutions and require such entities to offer or maintain “covered accounts” to put in place by Nov. 1 written identity theft prevention programs that provide for the identification, detection, and response to “red flags”—patterns, practices, or specific activities that could indicate identity theft.
Lyles
Experts say the definitions of “financial institutions,” “creditors,” and “covered accounts” under the rules sweep in a broad range of companies well beyond banks. In general, if a business grants credit, “These rules apply to you,” says Kevin Lyles, a partner in the law firm Jones Day.
Even if they’ve already determined that they’re subject to the requirements, companies still must determine which accounts they have that are “covered accounts”—a challenge some companies are struggling with, says Lyles.
Under the rules, a covered account is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions, such as credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. A covered account is also an account for which there is a foreseeable risk of identity theft—for example, small business or sole proprietorship accounts.
“While it’s fairly easy for financial institutions like banks, for companies in other industries, it’s not as easy to know what accounts are covered,” says Lyles.
Companies including finance companies, auto dealers, mortgage brokers, utility companies, telecommunications companies, medical offices, and furniture rental companies may be considered creditors under the rules.
Who’s Prepared, Who’s Not
Observers say some companies are better prepared for the rules than others. Nagraj Seshadri, product marketing manager at data security company Utimaco, says larger financial companies already dealing with similar regulations “are in better shape to deal with the rules, while smaller companies are coming to see this as a challenge.”
RED FLAGS
Section 681.2 of the Federal Trade Commissions identity theft rules
outlines duties regarding the detection, prevention, and mitigation of identity theft.
A. Scope. This section applies to
financial institutions and creditors that
are subject to administrative
enforcement of the FCRA by the Federal
Trade Commission pursuant to 15
U.S.C. 1681s(a)(1).
B. Definitions. For purposes of this
section, and Appendix A, the following
definitions apply:
(1) Account means a continuing
relationship established by a person
with a financial institution or creditor to
obtain a product or service for personal,
family, household or business purposes.
Account includes:
(i) An extension of credit, such as the
purchase of property or services
involving a deferred payment; and
(ii) A deposit account.
(2) The term board of directors
includes:
(i) In the case of a branch or agency
of a foreign bank, the managing official
in charge of the branch or agency; and
(ii) In the case of any other creditor
that does not have a board of directors,
a designated employee at the level of
senior management.
(3) Covered account means:
(i) An account that a financial
institution or creditor offers or
maintains, primarily for personal,
family, or household purposes, that
involves or is designed to permit
multiple payments or transactions, such
as a credit card account, mortgage loan,
automobile loan, margin account, cell
phone account, utility account,
checking account, or savings account;
and
(ii) Any other account that the
financial institution or creditor offers or
maintains for which there is a
reasonably foreseeable risk to customers
or to the safety and soundness of the
financial institution or creditor from
identity theft, including financial,
operational, compliance, reputation, or
litigation risks.
(4) Credit has the same meaning as in
15 U.S.C. 1681a(r)(5).
(5) Creditor has the same meaning as
in 15 U.S.C. 1681a(r)(5), and includes
lenders such as banks, finance
companies, automobile dealers,
mortgage brokers, utility companies,
and telecommunications companies.
(6) Customer means a person that has
a covered account with a financial
institution or creditor.
(7) Financial institution has the same
meaning as in 15 U.S.C. 1681a(t).
(8) Identity theft has the same
meaning as in 16 CFR 603.2(a).
(9) Red Flag means a pattern, practice,
or specific activity that indicates the
possible existence of identity theft.
(10) Service provider means a person
that provides a service directly to the
financial institution or creditor.
C. Periodic Identification of Covered
Accounts. Each financial institution or
creditor must periodically determine
whether it offers or maintains covered
accounts. As a part of this
determination, a financial institution or
creditor must conduct a risk assessment
to determine whether it offers or
maintains covered accounts described
in paragraph (b)(3)(ii) of this section,
taking into consideration:
(1) The methods it provides to open
its accounts;
(2) The methods it provides to access
its accounts; and
(3) Its previous experiences with
identity theft.
D. Establishment of an Identity Theft
Prevention Program.
(1) Program
requirement. Each financial institution
or creditor that offers or maintains one
or more covered accounts must develop
and implement a written Identity Theft
Prevention Program (Program) that is
designed to detect, prevent, and mitigate
identity theft in connection with the
opening of a covered account or any
existing covered account. The Program
must be appropriate to the size and
complexity of the financial institution
or creditor and the nature and scope of
its activities.
(2) Elements of the Program. The
Program must include reasonable
policies and procedures to:
(i) Identify relevant Red Flags for the
covered accounts that the financial
institution or creditor offers or
maintains, and incorporate those Red
Flags into its Program;
(ii) Detect Red Flags that have been
incorporated into the Program of the
financial institution or creditor;
(iii) Respond appropriately to any Red
Flags that are detected pursuant to
paragraph (d)(2)(ii) of this section to
prevent and mitigate identity theft; and
(iv) Ensure the Program (including the
Red Flags determined to be relevant) is
updated periodically, to reflect changes
in risks to customers and to the safety
and soundness of the financial
institution or creditor from identity
theft.
E. Administration of the Program.
Each financial institution or creditor
that is required to implement a Program
must provide for the continued
administration of the Program and must:
(1) Obtain approval of the initial
written Program from either its board of
directors or an appropriate committee of
the board of directors;
(2) Involve the board of directors, an
appropriate committee thereof, or a
designated employee at the level of
senior management in the oversight,
development, implementation and
administration of the Program;
(3) Train staff, as necessary, to
effectively implement the Program; and
(4) Exercise appropriate and effective
oversight of service provider
arrangements.
F. Guidelines. Each financial
institution or creditor that is required to
implement a Program must consider the
guidelines in Appendix A of this part
and include in its Program those
guidelines that are appropriate.
Source
Federal Register: Federal Trade Commission Rules (Nov. 9, 2007).
Joseph Dooley, a managing director in KPMG’s U.S. forensic practice, says, “For the most part, the larger financial institutions will be ready, but they’ve spent thousands of hours assessing the applicability of the regulations to every one of their products and services.”
Meyer
Meanwhile, some smaller businesses and non-financial institutions are “somewhat behind the curve,” says Catherine Meyer, an attorney with Pillsbury. For example, companies that aren’t regulated, such as country clubs that bill members monthly via house accounts, are “often surprised to find that they may have covered accounts,” she says.
The rules are deliberately flexible to enable companies to design a plan that’s tailored to their size and complexity and the nature of their operations. Experts say that’s both good and bad news for companies.
“The beauty of the Red Flag Rules is they’re very flexible,” says Christopher Wolf, a partner in the law firm Proskauer Rose. “There’s no one-size-fits-all compliance plan.”
However, others say that flexibility is causing uncertainty and confusion among some companies about how to comply with the requirements.
Goodman, who describes the regulations as “very vague,” says, “How much companies need to do isn’t crystal clear.”
Among those companies that have already gone through the process, Meyer observes, those in more regulated industries, accustomed to having a detailed checklist from regulators, “had a harder time figuring out what they had to do to comply, while business that aren’t heavily regulated had an easier time, because they’re more used to making those subjective determinations.”
While the FTC offers a list of 26 examples of “red flags” companies can use as a starting point, experts say each company’s list will differ depending on the nature of its business, the number and type of covered accounts it offers, and its geographic location. For instance, companies with one type of covered account may have fewer red flags than companies that offer several types of covered accounts, says Meyer.
Still Time Left
For those coming late to the compliance party, experts say compliance with the Nov. 1 deadline is still achievable, with some quick effort.
“The time to panic isn’t quite yet, but it’s getting close,” Meyer quips. Even if they’ve just figured out that the rules apply to them, for most companies, “compliance isn’t necessarily from scratch,” she says.
That’s because companies are likely to have some existing policies in place that can be incorporated into their compliance program. For example, policies that limit access to customer data, that cover how to treat sensitive customer information, or that specify responses to security breaches can be tied into a Red Flag identity theft prevention plan.
Likewise, Lyles says, “I don’t think complying is that big a challenge for companies that already have reasonable information security practices and are thoughtful about how they protect information.”
For instance, most companies with covered accounts already have processes in place to authenticate and verify a person opening a new account. Still, he says, designing a program to comply with the rules will require most companies to add some new components to their information security policy that relate specifically to identity theft.
“Most companies, even if they have a good existing information security policy, will need to come up with something new,” says Lyles.
And such policies must be in writing. For some companies that might mean hiring outside lawyers to draft a written program. While there may be costs associated with putting their program in place, says Goodman, the benefit is that “companies won’t have to swallow the cost of identity theft if they can spot it early.”
Goodman further notes that compliance isn’t a one-time exercise to design and implement a plan. “Companies need to update their plans and procedures as they spot new [identity theft] trends,” he says.
While the potential consequences for non-compliance include regulatory penalties and injunctions, Meyer and other observers say the FTC “really seems to be more interested in making sure there’s compliance.”
Likewise, Wolf says he expects to see “rolling enforcement.”
“I suspect regulators as of Nov. 1 won’t strike out at every company that’s not compliant, but there won’t be a very long grace period for companies to get compliant,” he says.
For the text of the rules and other related resources and coverage, see the box above right.
Websites
We are not responsible for the content of external siteshttp://www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm
http://ftc.gov/os/fedreg/2007/november/071109redflags.pdf
http://www.proskauer.com/news_publications/client_alerts/content/2008_03_03/_res/id=sa_PDF/15868-022908-Red%20Flags%20Rule-ca.pdf
http://www.jonesday.com/pubs/pubs_detail.aspx?pubID=S5427
http://www.deloitte.com/dtt/cda/doc/content/us_fsi_banking_IdentityTheftIssuBriefinJuly%2008.pdf
No comments yet