Jump To Navigation

Defense Digest 3/09: The Red Flag Rules Pose Challenges

By Eric A. Packel, Esq.*

Federal - Consumer & Credit Law

An alphabet soup of government agencies, including the OCC, the FTC, and the FDIC, had a hand in the implementation of various regulations, together referred to as the Red Flag rules. Despite the name, the rules have nothing to do with throwing a red flag to challenge a bad call by an NFL referee. Rather, the Red Flag rules are found in Sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003 ("FACTA") and require various entities to implement procedures for detecting and preventing identity theft. Not surprisingly, these rules are challenging in their scope and complexity.

One of the most challenging aspects of the rules concerns who or what is covered by them. Technically, the Red Flag rules apply to "financial institutions" and "creditors" with "covered accounts." Covered accounts include (1) an account ... primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, and (2) any other account ... for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft. 12 C.F.R. § 222.90(3).

Obviously, "financial institutions" include traditional banks, mortgage lenders, and savings and loan associations. 12 C.F.R. § 222.90(7); 15 U.S.C. § 1681a(t). Less obvious may be the definition of "creditor." Under the Red Flag rules, the Equal Credit Opportunity Act ("ECOA") is referenced. The FTC, in an Enforcement Policy Statement relating to the Red Flag rules, clarified this to mean that under ECOA, "any person that provides a product or service for which the consumer pays after delivery is a creditor."

In other words, any company that permits a customer to defer payment is covered by the rules. While this clearly includes businesses such as automobile dealers, mortgage brokers, utility companies, and third-party debt collectors, this extremely broad definition of "creditor" could apply to almost any business that allows customers to pay on credit. Thus, the Red Flag rules are sweeping in their scope and incorporate much more than the traditional financial or banking industry entities.

Since giant financial institutions and local mom and pop stores could all be covered under the Red Flag rules, what are they required to do to comply? Under Section 114 of FACTA, a covered entity must develop and implement a four-pronged identity theft prevention program for its covered accounts. The basic parameters are "identify," "detect," "respond," and "update."

That is, each covered entity must identify and incorporate into its ID theft program any relevant patterns, practices, and activities that are "red flags" that could signal possible identity theft. Secondly, each entity must develop policies and procedures to detect red flags.

Thirdly, each covered entity must respond to any red flags that are detected in order to prevent and mitigate identity theft. The guidelines recommend monitoring an account for evidence of identity theft, contacting the customer, calling law enforcement, and changing any security device that permits account access. Finally, each covered entity must update its ID theft program periodically to handle any changes in risks to customers from identity theft, or even risks to the soundness of the covered entity itself.

Additionally, credit card issuers and users of consumer reports have their own separate requirements under FACTA's Red Flag rules with respect to consumer address changes. Credit card issuers must develop policies for issuing additional or replacement cards made shortly after a change of address notification is received. Users of consumer reports must develop procedures to verify the identity of a consumer when the address given by the consumer is substantially different from the address in the consumer report.

The above rules of course beg the question, what exactly is a red flag? A red flag is defined under FACTA as a pattern, practice, or specific activity that indicates the possible existence of identity theft. The regulations list five specific categories of red flags as a form of guidance. The five categories are:

1.  Alerts, notifications, or other warnings received from consumer reporting agencies or service providers such as fraud detection services;

2.  The presentation of suspicious documents;

3.  The presentation of suspicious personal identifying information, such as a suspicious address change;

4.  The unusual use of, or other suspicious activity related to, a covered account; and,

5.  Notice from customers, victims of identity theft or law enforcement authorities.

More examples and specifics of what are considered "red flags" are set forth in Appendix J Section IIb and Supplement A to Appendix J of Section 114 of FACTA.

So what happens if a covered entity fails to comply with the red flag rules? Any federally regulated financial institution is already subject to oversight by the appropriate federal banking regulators. Those regulators are allowed to impose penalties consistent with their current regulatory authority.

For those creditors that are not federally regulated financial institutions, oversight of the Red Flag rules is by the Federal Trade Commission (the FTC). In the event of a knowing violation, which constitutes a pattern or practice of violations, the FTC may commence a civil action to recover a civil penalty in federal court. Penalties imposed by the FTC for violations of FACTA can be as much as $2,500 per infraction. 15 U.S.C. 1681 (s). In addition to regulatory enforcement actions, users of consumer reports who fail to comply with the address discrepancy regulations are subject to civil liability under §§ 616 and 617 of the Fair Credit Reporting Act.

Technically, the Red Flag rules went into effect on January 1, 2008, with enforcement set to begin on November 1, 2008. However, due to the understandable confusion as to who or what is covered under the Red Flag rules, the FTC announced on October 22, 2008, that it would not enforce the rules until May 1, 2009. This delay in enforcement is limited to the Identity Theft Red Flags Rule (16 CFR 681.2) and does not apply to the rules regarding address discrepancies applicable to users of consumer reports (16 CFR 681.1), or to the rules regarding changes of address for credit card issuers (16 CFR 681.3). The extension also does not affect entities, such as financial institutions, subject to enforcement of the Red Flag rules by federal agencies other than the FTC. But for the many small businesses who may not have realized they were a "creditor" under the rules, the grace period for enforcement is now looming in early 2009.

*Eric Packel is an associate in the Philadelphia, Pennsylvania, office. He can be reached at (215) 575-4554 or eapackel@Mdwcg.com.
Peer review Rated Best Lawyers Attorneys

FirmSite® by FindLaw, a Thomson Reuters business.

ATTORNEY ADVERTISING pursuant to New York RPC 7.1Disclaimer | Site Map

Please read the following disclaimer:

Thank you for your interest in our firm. The information contained on this Website contains statements, videos and other content about the type and quality of services offered by Marshall, Dennehey, Warner, Coleman & Goggin, as well as past results and testimonials about the firm. This information has not been reviewed nor approved by the Florida Bar.

Please acknowledge that you have read the above disclaimer by clicking on one of the two links below.

YES I have read and understand the above statements. I am interested in learning more about Marshall, Dennehey, Warner, Coleman & Goggin. NO I do not want to view the information.