Red Flags Signal Uncharted Territory for Many Businesses by November 1, 2008

By Jennifer Rossi

At the end of 2003, Congress passed the Fair and Accurate Credit Transactions Act (FACT Act), an amendment to the Fair Credit Reporting Act (FCRA). The FACT Act requires financial institutions and creditors to create and maintain written programs for identifying "patterns,  practices, and specific forms of activity that indicate the possible existence of identity theft."

The definition of "financial institution" under the FACT Act includes not only the traditionally thought of bank, savings and loan association, and credit union, but also includes any other business that "directly or indirectly holds a transaction account belonging to a consumer." The definition of "creditor" casts an even wider net—it includes any business that regularly extends, renews, or continues credit and "any assignee of an original creditor who participates in the decision to extend, renew or continue credit." Examples of creditors could include car dealerships, utility companies, mortgage brokers, or the proverbial attempt to catch-all—any business that directly or indirectly holds a transaction account belonging to a consumer.

As part of the FACT Act, Congress instructed the Federal Trade Commission and other banking-related agencies to establish guidelines to help businesses develop programs to spot the so-called "red flags" of identity theft. After nearly four years of drafting, re-drafting and public comment, the Comptroller of the Currency, Federal Reserve, FDIC, Office of Thrift Supervision, National Credit Union Administration, and FTC issued their final Red Flag Rules and Guidelines on November 9, 2007. Although mandatory compliance is not required until November 1, 2008, businesses are scrambling to develop or update their programs. Not surprisingly, several companies are touting products that promise compliance.

With new rules come potential new pitfalls, and businesses of all types that maintain consumer credit information are right to be concerned about an uptick in litigation. Vigorous enforcement of the Red Flag Rules should be anticipated by those agencies that draft them. The FTC, for example, expressly has established information security as a priority in its enforcement efforts. Indeed, even without the force and effect yet to come of the Red Flag Rules, the FTC has already brought nearly two dozen complaints against businesses for "security deficiencies in protecting sensitive consumer information." To date, it has done so under its general authority to prevent unfair competition and deceptive acts.

Although written identity theft programs are required only of businesses with "covered accounts," all businesses bear the burden of assessing whether they offer or maintain such accounts. Covered accounts are defined as those primarily for personal, family or household purposes that involve or are designed to permit multiple payments or transactions. Examples listed in the rules include credit cards, mortgages, auto loans, checking and savings accounts, and utility and cell phone accounts. Also considered covered accounts, however, are those accounts for which there is a "reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor."

Notwithstanding their scope, the Red Flag Rules allow businesses to tailor their programs to fit their own size and complexity. In addition, the programs may be established in the form of amendments to a businesses' existing procedures. Regardless of its level of sophistication, however, each program fundamentally must include means of identifying, detecting, and responding to red flags, as well as a system for its own periodic review and improvement. For one thing, the Red Flag Rules require boards of directors-or, at least, appropriate board committees-to sign off on all initial plans. They also recommend policies and procedures for detecting red flags, such as verifying customer identity and monitoring account transactions. Finally, the guidelines describe appropriate responses to red flags, including contacting the affected customer, changing security codes, and notifying law enforcement personnel.

However helpful, the guidelines are only a start. Undoubtedly, it will be some time before either the agencies or the industry has a solid sense of what constitutes a strong yet workable theft prevention program. In all likelihood, that understanding will be the product of both consensus and contention. Businesses should do their utmost, of course, to foster the former. A good faith effort to comply with the Red Flag Rules is an essential start.

This article was originally published in Robinson & Cole LLP's Spotlight newsletter. See Jennifer Rossi's presentation "The FCRA: It's Not Just for Credit Bureaus" at the IAPP Privacy Academy later this month.

Jennifer Rossi leads the Consumer Financial Services Team at Robinson & Cole LLP.  She is a member of the Business Litigation Practice Group. She counsels businesses on compliance with the FCRA and FACT Act, and she represents businesses in consumer tort litigation (including class actions) involving claims under the FCRA and FACT Act.  Before joining Robinson & Cole, she served as national defense counsel for a national credit bureau in state and federal courts nationwide.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»