Any business that has creditor relationships with customers will be faced with the burden to implement an identity theft prevention program or face a $3,500 fine from the Federal Trade Commission (FTC). According to the FTC’s Red Flags Rule, which was originally to go into effect Nov. 1, but has been postponed until June 1, 2010, businesses must have a written identity theft protection program in place designed to identify and detect the warning signs of identity theft.
So, how does a company determine if it is subject to the Red Flags Rule? Businesses and organizations that meet the rules’ definition of “creditors” or “financial institutions” and that maintain “covered accounts” are required to have a written identity theft prevention program in place. These terms are broad and we expect to see many businesses caught off guard.
The term “creditor” is very broadly defined and includes those entities which defer payment for goods or services or provide goods or services and bill the customer later. These broad definitions could include non-profits, homebuilders, telecommunications companies, government agencies, utilities and health care providers. Creditor further includes those organizations that regularly grant loans, make credit decisions and arrange for loans or the extension of credit, such as automotive dealers, mortgage brokers, mortgage bankers, real estate agents, finance companies and retailers that offer financing or help consumers obtain financing from another organization.
“Financial institutions” include banks, savings and loans associations, mutual savings banks, credit unions or institutions that maintain deposits or accounts from which the account holder is permitted to make withdrawals by negotiable or transferable instrument.
However, “creditors” and “financial institutions” are subject to the rules only if they maintain “covered accounts.” There are two categories of “covered accounts.” The first category includes a consumer account offered primarily for personal or household purposes that is designed to allow multiple payments and transactions. The second is “any other account that a financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to consumers or to the safety and soundness of the financial institution or creditor from identity theft.” In order for an organization to determine whether or not it fits into one of these categories, it must look at what types of accounts it offers, how they are opened and how they are accessed.
If a company or organization does not maintain “covered accounts,” then it does not need to implement an identity theft protection program. However, those entities that fit within the definition of “creditors” or “financial institutions” and maintain “covered accounts” must create and implement a written identity theft program if they have not already done so.
Any organization that suspects they may be subject to these Red Flag Rules should have an attorney determine if they apply to that organization, help draft written identity theft prevention programs and help administer the identity theft prevention programs.
