Home > Archives > November 09, 2011

November 09, 2011

FTC Requires Certain Businesses To Implement A Written Identity Theft Protection ProgramPosted by on November 09, 2011 | Comments

istock_000016040929xsmall

Now effective January 1, 2011, certain businesses in the United States are required to implement a written Identity Theft Prevention Program to detect warning signs (so called Red Flags) and to implement processes to quickly mitigate the impact of Identity Theft and to stop further instances.

On December 8, 2010, the Red Flag Program Clarification Act of 2010 passed in The House of Representatives. The Clarification Act limits the definition of a “creditor” under the Fair Credit Reporting Act to only those entities that use consumer reports, furnish information to consumer reporting agencies, or advance funds to or on behalf of a person. By using this definition, The Act now excludes law firms, health care practices, retailers, utility companies, telecommunications firms, automobile dealerships, and other small businesses from complying with the Red Flags Rule. The purpose of the revision is to ensure that the Red Flags Rule covers creditors who pose the highest risk for identity theft. The clarification is significant for health care entities, lawyers, accountants, other professionals, and small businesses that will not be subject to FTC regulation for any violation of the Red Flags Rule.

Question: What Businesses Must Comply With The FTC Red Flag Rule?
The Red Flag Rule applies to businesses deemed to be either "financial institutions" or "creditors" and that have "covered accounts." Of note is the FTC's broad definition of "creditor" entities and "covered accounts." These terms are broadly defined to include many types of businesses, across many industry classes.

"Creditor" — was originally defined in the Act to include any organization that "regularly defer(s) payment for goods or services or provides goods or services and bills customers later," including but not limited to lawyers, accountants, healthcare providers and telecommunication companies, etc. (See 15 U.S.C. § 1681a(r)(5); 15 U.S.C. § 1691a(d); 15 U.S.C. § 1691a(e).) The definition also applied to those entities that provide loans or extend credit such as finance companies, mortgage brokers, retailers and car dealerships. The definition went one step further to include any entity that regularly engaged in the decision to extend, renew or continue credit, such as a third-party debt collector. The Clarification Act limits the definition of "creditor" to a person who obtains or uses consumer reports in connection with a credit transaction, furnishes information to consumer reporting agencies in connection with credit transactions, or advances funds based on the recipients' obligation to repay.

"Covered Account" — this term is lynch-pin to whether an entity is required to comply with the Red Flag Rule. Any "financial institution" or "creditor" with either: 1) consumer accounts that permit multiple payments or transactions, or very importantly, 2) has any other account that presents a reasonably foreseeable risk of identity theft must implement a written Identity Theft Prevention Program.

Read more »