FTC Extends Enforcement Deadline for Identity Theft Red Flags Rule To December 31

By Thomas Ahearn, ESR Staff Writer

The Federal Trade Commission (FTC) has further delaying enforcement of the Red Flags Rule for identity theft scheduled to begin on June 1, 2010 to December 31, 2010.

According to a FTC news release, the delay of the Red Flags Rule for identity theft to the end of the year would give Congress time to consider legislation that would resolve any questions as to which entities are covered by the Red Flags Rule and remove the need for further enforcement delays. As currently written, the Red Flags Rule — which was developed under the Fair and Accurate Credit Transactions Act (FACTA) — requires “creditors” and “financial institutions” that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or activities — called “red flags” — that may indicate identity theft.

With identity theft on the rise — a recent survey found the number of identity theft and fraud victims in the U.S. increased 12 percent to affect over 11 million adults in 2009 — the FTC’s Red Flags Rule addresses the need for businesses extending credit to customers to develop and implement written identity theft prevention programs. In addition, according to a “Facts For Businesses” page on the FTC website, the Red Flags Rule may apply to groups that might not typically use the words “financial institutions” and “creditors” with “covered accounts” to describe themselves.

  • The Red Flags Rule defines a “financial institution” as banks, savings and loan associations, mutual savings banks, credit unions, or any person, directly or indirectly, holding a transaction account belonging to a consumer.
  • The Red Flags Rule definition of “creditor” is broad and includes businesses or organizations that regularly defer payment for goods or services or provide goods or services and bill customers later. Utility companies, health care providers, and telecommunications companies may fall within this definition. Creditors also include those who regularly grant loans, arrange for loans, or extend credit.
  • The Red Flags Rule defines that term “covered accounts” as 1.) A consumer account primarily designed to permit multiple payments or transactions such as credit card accounts, mortgage/auto loans, and cell phone, utility, and checking and savings accounts; and 2.) Any account for which there is a foreseeable risk to customers or to the financial institution or creditor from identity theft.

Beginning December 31, 2010, the Red Flags Rule would require the entities described above to develop, implement, and administer Identity Theft Prevention Programs that include four basic elements — Indentify, Detect, Prevent, and Update — to address the threat of identity theft:

  • An Identity Theft Prevention Program must include reasonable policies and procedures to identify the “red flags” of identity theft, the patterns, practices, or activities that may indicate the possibility of identity theft.
  • An Identity Theft Prevention Program must be designed to detect the red flags identified, and have procedures in place to help in the detection of red flags.
  • An Identity Theft Prevention Program must spell out the appropriate response to take when red flags are detected to prevent and mitigate identity theft.
  • An Identity Theft Prevention Program should go through a periodic update to reflect new risks from identity theft since this crime is an ever-changing threat.

For more information and the latest news about identity theft and the Red Flags Rule, please visit Employment Screening Resources (ESR) at http://www.esrcheck.com.