April 9, 2009
On May 1, 2009, the Federal Trade Commission ("FTC") will begin enforcement of the new "Red Flags Rule," a little known regulation that likely impacts a surprisingly large number of business entities.
The Red Flags Rule, which was developed pursuant to the Fair and Accurate Credit Transactions Act of 2003[1] and is codified at 16 C.F.R. Section 681.2, requires that financial institutions and creditors with "covered accounts" develop and implement written identity theft prevention programs, which provide for the identification, detection, and response to patterns, practices, or specific activities – "red flags" – which could indicate identity theft.
Who Is Covered?
The Red Flags Rule applies to any financial institution or creditor holding a covered account.
Given the broad definitions of "creditor" (any entity that defers payments for goods or services) and "covered account" (any account involving multiple transactions that is primarily used for personal purposes), the Red Flags Rule will likely apply to many businesses in the United States. In fact, the FTC has estimated as many as 11 million creditors will have to comply with the Rule, and has stated that the Rule is also applicable to non-profit organizations.
What Is Required?
Closely related to the Red Flags Rule are two other regulations that are also intended to prevent identity theft. 16 C.F.R. Section 681.3 requires credit and debit card issuers to develop and implement policies and procedures to determine the validity of a change of address request that is followed closely by a request for an additional/replacement card. Furthermore, 16 C.F.R. Section 681.1 requires all users of consumer credit reports[2] to develop and implement policies and procedures that enable them to form a reasonable belief that a consumer report relates to the consumer about whom they have requested the report, when they receive a notice of address discrepancy from a consumer reporting agency. If a user regularly and in the ordinary course of business furnishes information to a consumer credit agency, the user must also forward the correct address to the consumer credit agency. The FTC began enforcing these related regulations on November 1, 2008.
What Are the Penalties for Noncompliance?
The FTC may impose monetary penalties of up to $2,500 per knowing violation of the Red Flags Rule. Although the FTC does not appear to have commented on how it would calculate such penalties, it is possible that the FTC could impose a penalty of $2,500 for each covered account that a noncompliant entity maintained. Thus, even small businesses face the potential of large monetary penalties for noncompliance with the Red Flags Rule.
Consequently, it is extremely important for all businesses to determine whether they are a covered entity, and if so, develop and implement an identity theft program by May 1, 2009.
[2] The term "user" refers to any user of a consumer credit report, and encompasses not only the more traditional types of creditors – who use consumer reports in conjunction with activities such as the issuance of credit cards, loans, and mortgages – but also includes entities that obtain consumer credit reports for the purpose of making employment-related decisions, and financial institutions.
Gibson, Dunn & Crutcher LLP lawyers are available to assist in addressing any questions you may have regarding these issues. Please contact the Gibson Dunn attorney with whom you work or Karl G. Nelson (214-698-3203, [email protected]) or M. Sean Royall (214-698-3256, [email protected] in the Dallas office.
© 2009 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.