Federal Red Flag Regulations: A New Front Opens in the War on Identity Theft

Federal Red Flag Regulations: A New Front Opens in the War on Identity Theft

by Charles H. Kennedy

When it comes to shredding sensitive business documents, leaders of some of America's largest companies are devoting more attention and more money to keeping information safe. Despite the extra effort, many admit unfamiliarity with key federal and state laws governing information privacy, leaving them vulnerable to fines and identity theft. Now, more rules are coming. Set to go in effect this November, the new “Red Flag” regulations appending the Federal Trade Commission’s Fair and Accurate Credit Transactions Act, or FACTA, are among the most important privacy initiatives of recent years. These regulations will force tougher standards on creditors and financial institutions to prevent consumer identity theft. This article provides a high level overview of the regulation guidelines with some suggested measures that organizations can take today to meet the Nov. 1 compliance deadline.

The need to safeguard proper access, destruction and disposal of private or confidential information is on the radar of America’s largest companies. But according to a survey commissioned by Iron Mountain, companies believe they are more familiar with federal requirements for information destruction than they actually are. While nearly 74 percent express familiarity with such requirements, fewer than 30 percent are aware of the Federal Trade Commission’s Fair and Accurate Credit Transactions Act (FACTA) Disposal Rule, one of the top laws governing U.S. businesses on information security and disposal. The FACTA Disposal Rule mandates that organizations properly dispose of papers that contain consumer information by methods such as burning, pulverizing or shredding so that the information cannot practically be read or reconstructed.

On Nov. 1, 2008, the FACTA privacy regulations will expand to include new “Red Flag” rules. These new regulations will hold U.S. financial institutions and creditors to tougher standards for preventing identity theft and consumer fraud-related crimes.

IDENTITY THEFT: WHY WE NEED THE RED FLAG REGULATIONS
Identity theft is the fraudulent use of an individual’s personal information to open financial accounts, incur debts or transact other business in the victim’s name. Identity theft also is a growth industry that imposes enormous financial and emotional costs on individuals and businesses alike.

Prevention of identity theft and its effects, like the crime itself, is a multi-step process. The first and most effective step is to keep unauthorized persons from acquiring personal information in the first place. If that step fails, creditors and credit reporting agencies can prevent the successful misuse of the stolen data by requiring more information from new account applicants and persons seeking to make charges against existing accounts, or by taking steps to verify the identities of persons whose attempts to use or establish credit appear to be questionable. Finally, if all of those efforts fail and identity theft attempts are successful; businesses can soften the impact on consumers by forgiving unauthorized charges.

REQUIREMENTS OF THE RED FLAG REGULATIONS
Some companies will soon have to contend with a new set of FACTA mandates from the FTC. Effective Nov. 1, 2008, financial institutions and creditors must have a formal program for preventing identity theft. The Red Flag regulations are new guidelines, which require companies to identify and account for “red flags,” defined by the FTC as “patterns, practices and specific forms of activity that indicate a possible risk of ID theft.”

A. The Regulations Affect a Wide Cross-Section of American Business
The Red Flag regulations were adopted as amendments to the Fair Credit Reporting Act. However, they have a broader impact than previous regulations adopted under the Fair Credit Reporting Act, which applies primarily to consumer reporting agencies. The new regulations must be observed by two very wide categories of businesses: “financial institutions” and “creditors.”

Financial institutions include any state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other person that directly or indirectly, holds a transaction account (as defined in section 19(b) of the Federal Reserve Act) belonging to a consumer.

A creditor, in turn, is defined to include lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Essentially, any person or entity that furnishes goods or services on a delayed-payment basis qualifies as a “creditor” for purposes of the Red Flag regulations.

B. Financial Institutions and Creditors Must Develop Compliance Programs
The regulations require affected businesses to take a wide range of measures, including policies aimed at changes of address and address discrepancies and development of comprehensive identity theft prevention programs.

1. Duties of Card Issuers Regarding Changes of Address
Some of the Red Flag obligations are imposed specifically upon issuers of payment cards (i.e., debit cards and credit cards). Those entities must be prepared to deal with cases in which a change of address notice is followed, within 30 days or less, by a request for an additional or replacement card for the same account. In these cases, the card issuer may not issue an additional or replacement card until it has notified the cardholder of the request at the cardholder’s former address or by any other means previously agreed to. The issuer also must give the cardholder a means of promptly reporting incorrect address changes or otherwise assess the validity of the change of address in accordance with the policies and procedures the issuer has established under the Red Flag regulations.

2. Duties of Users of Consumer Reports Regarding Address Discrepancies
The regulations also impose new duties upon users of consumer reports, including businesses that obtain consumer reports before deciding to extend credit. Specifically, the regulations require such users to respond appropriately when a consumer reporting agency informs the user of a “substantial difference” between the address the user reported to the consumer reporting agency and the address or addresses in the agency’s file for that consumer.

When such an address discrepancy report is received, the user must employ reasonable policies and procedures to form a “reasonable belief” that the applicant and the consumer identified in the credit report are the same person. Reasonable policies and procedures may include comparing the information in the consumer report with information the user has obtained in compliance with the Customer Identification Program (CIP) requirements, information in the user’s own records or information obtained from a third party. Users also may verify the information in the consumer report with the consumer.

Also, when a user has received a notice of address discrepancy from a consumer reporting agency, the user must send to the agency a consumer address that the user has reasonably confirmed to be accurate. This obligation applies when the user: (1) can form a reasonable belief that the consumer report relates to the consumer about whom the user requested the report; (2) has established a continuing relationship with the consumer; and (3) regularly and in the ordinary course of business furnishes information to the consumer reporting agency from which the notice of address discrepancy was obtained.

3. Detection, Prevention and Mitigation of Identity Theft
The heart of the Red Flag regulations is the set of policies and procedures that creditors and financial institutions must develop in order to help control identity theft. Those obligations include several elements.

First, each creditor and financial institution must decide whether it offers or maintains covered accounts – a category that includes any account that permits multiple payments for the price of goods or services used for personal, family or household purposes. This review, which must be conducted periodically, includes an assessment of the methods the business provides to open accounts, the methods it provides to access the accounts, and its previous experiences with identify theft.

If a financial institution or creditor determines that it offers covered accounts, it must develop and implement a written Identity Theft Prevention Program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account.

Creditors and financial institutions also must update their programs periodically to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft. Initial approval of the program must be obtained from the Board of Directors or an appropriate committee thereof; the institution’s staff must be trained as necessary to implement the Program; and the financial institution or creditor must exercise appropriate and effective oversight of service provider arrangements.

The specific Red Flags that a creditor or financial institution’s program will identify and address are not set out in the regulations, but covered entities are required to consider the suggestions made in the set of “Interagency Guidelines on Identity Theft Defection, Prevention, and Mitigation”. Notably, the guidelines state that each program should include, as appropriate, Red Flags from the following categories:

• Alerts and notifications
• The presentation of suspicious documents or personal identifying information
• The unusual use of, or other suspicious activity related to, a covered account
• Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the financial institution or creditor.

4. The Importance of Records Security and Vendor Oversight
The Red Flag regulations give creditors and financial institutions a great deal of discretion in identifying the threats they must address and the preventive measures that are appropriate. Specifically, in identifying threats and developing measures for dealing with those threats, affected entities are required to take into account a number of factors, including: (1) incidents of identity theft that the financial institution or creditor has experienced; and (2) any data security incident that results in unauthorized access to a customer’s account records held by the financial institution, creditor or third party.

The implication of these provisions is clear. A creditor or financial institution that has experienced identity theft, or even a breach of data security that might or might not have resulted in identity theft, will be expected to develop a program that adequately addresses the circumstances that gave rise to those incidents. It is also reasonable to expect that a creditor or financial institution that has experienced a data security or identity theft incident will be scrutinized much more closely, when regulators investigate those organizations, to ensure that their identity theft prevention programs are rigorous and thorough.

These elements of the regulations underscore the importance of addressing the fundamentals of data security, including protection of records containing personal information at all stages of the records’ life cycle, including retention and disposal. Failure to secure sensitive records increases the likelihood of a compromise of personal information and close regulatory scrutiny of the organization’s Red Flag program and all other aspects of the organization’s privacy compliance.

PREPARING FOR COMPLIANCE WITH RED FLAG REGULATIONS
By Nov. 1, 2008, all creditors and financial institutions subject to the Red Flag regulations must have their compliance programs in place. Because development of such a program is a multi-step process and requires approval of the organization’s board of directors or equivalent level of management, the sooner affected organizations begin their program development, the better.

Among the steps that must be taken is confirmation that the organization is subject to the Red Flag regulations and maintains accounts of the kind a Red Flag compliance program must cover. Generally speaking, any creditor or financial institution that provides or arranges for the provision of goods or services on a deferred-payment basis should assume that the Red Flag regulations apply to them.

Once that’s determined, the organization must conduct a careful risk assessment of all of the circumstances in its business operations that might present vulnerabilities for identity theft. This is also the time to identify past incidents of identity theft or data loss that the program must ensure against repetition.

When the program is implemented, organizations must keep in mind that the program is only as good as the training, oversight and periodic modifications that will keep it relevant and effective. Above all, avoidance of data loss and identity theft incidents is the surest way to prevent regulatory action, lawsuits and other fallout that can harm your organization’s financial viability and reputation.

CONCLUSION
While 90 percent of companies have defined policies and procedures for destroying and disposing of private information, one in three has not heard of the FACTA Disposal Rule. As some companies will soon have to contend with a new set of FACTA mandates from the FTC, it will become even more critical that sensitive documents are safeguarded. Effective Nov. 1, 2008, financial institutions and creditors must have a formal program for preventing identity theft.

With these new requirements, the FTC is putting companies on notice that it is no longer enough for companies to simply say they have a policy for shredding or information destruction. Organizations now must prove their policies and procedures actually work.

Charles H. Kennedy is a leading data privacy expert at Morrison & Foerster