Federal Trade Commission pushes back launch of 'Red Flags Rule'

Journal Record, The (Oklahoma City), Oct 24, 2008 by Marie Price

It's called the "Red Flags Rule," and it's coming to financial institutions, brokerage firms, credit card companies and mortgage firms near you as of Nov. 1.

In essence, the regulation requires affected businesses to take a proactive approach to identity theft, developing and maintaining a written program to detect, prevent and mitigate ID theft.

Businesses like auto dealers, utilities, telecommunications companies and others regulated by the Federal Trade Commission this week got a breather from the FTC, which pushed its enforcement launch date to May 1.

Fines for noncompliance range from $2,500 to $11,000 per violation.

In addition to the FTC, businesses regulated by the FDIC, Office of the Comptroller of the Currency, Federal Reserve Board, Office of Thrift Supervision, and National Credit Union Administration must comply with the regulation. None of the other five agencies have yet announced a postponement of enforcement.

Attorney Eric Johnson explained Thursday that, as the FTC interprets the regulation, a violation could potentially be assessed for each account affected, not just for each red flag program.

Johnson, a shareholder with the Phillips Murrah law firm, said Congress told federal regulators to come up with such a rule in 2003, as part of the Fair and Accurate Credit Transactions Act.

He said the law also requires companies to conduct a risk assessment of all the accounts they maintain or offer, to see if they are covered.

"They would look at, how do we give access to our accounts, how do we open our accounts, do we have any prior experiences of identity theft on this type of account," he said.

Johnson said covered accounts are mostly consumer-related, but could include business and commercial accounts "where there is a reasonably foreseeable risk to either the customer or the creditor from identity theft."

Johnson said that in developing a required program, businesses must detail "red flags" associated with their accounts, and how they would respond to them.

"Generally, a red flag is either an activity or maybe a pattern of practice that indicates either there has been identity theft or maybe the possible existence of identity theft, something that, just like it sounds, pops up and says, wait a minute, bells and whistles going off," he said.

Some examples of red flags outlined by federal regulators include pulling a credit report that has a fraud or active duty alert, trying to pull a credit report and receiving a notice of a freeze on the credit file, receiving notification from a credit bureau of an address discrepancy, a credit report with a pattern of activity inconsistent with the applicant's historic activity, and documents a business suspects have been altered.

Once a program is approved by company management or the corporate board of directors, he said, companies must train staff about how to put it into operation, and make sure appropriate service providers comply with it or have their own program in place.

Johnson said noncompliance by banks and other routinely examined businesses will probably be revealed during those procedures, but the situation is more complex when it comes to companies regulated by the FTC.

"It's a little bit more difficult to gaze into the crystal ball to see what they are looking for," he said.

Johnson said that if the FTC reacts as it has in the past, it may wait until after May 1, 2009, then fire out a series of letters to businesses requesting copies of their Red Flag programs and asking questions about how they were developed and how they will be maintained.

Johnson said a lot of smaller, mom-and-pop businesses may have accounts that would be covered by the rule, and not be aware of it.

He also said banks and other entities that must comply beginning Nov. 1 may want car dealers and other business with which they do business to have their programs in place then as well.

When it announced the postponement, the FTC said its staff learned that some creditor-businesses subject to its regulation were not certain they were covered by the rule or whether they engaged in activities that would cause them to fall under the act. Other businesses said they learned of the rule's requirements too late to comply by Nov. 1.