FACTA Red Flags

FACTA Online Training

By Tanya Forsheit, Esq.

(October 22, 2008 Update: Although Federal Trade Commission enforcement of the FACTA "Red Flags" rule requiring creditors and financial institutions to have identity theft prevention programs has been delayed by six months, your organization should continue working towards full compliance.

The continued growth of identity theft over the last several years spurred the enactment of numerous state, and some federal, laws to regulate how businesses store and protect consumers' and employees' personal data.

One such law, the Fair and Accurate Credit Transactions Act (FACTA) amendments to the Fair Credit Reporting Act (FCRA), now requires certain companies to design programs and policies to detect, prevent and mitigate identity theft connected with the opening of a "covered account" or any existing covered account. [72 Fed. Reg. 63,718]. The companies' policies and procedures must be designed to recognize and respond to "red flags" indicating the existence of identity theft.

On November 9, 2007, the Federal Deposit Insurance Corporation, the Federal Reserve Board, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, the National Credit Union Administration and the Federal Trade Commission issued a joint final rule (the "Red Flag Rule") pursuant to FACTA. The Red Flag Rule took effect on January 1, 2008. Covered businesses must comply by November 1, 2008.

Though many companies must comply with FACTA's Red Flag Rule, some are not covered by the rule. Small-business owners that have received e-mails alerting them to the Red Flag Rule should consult legal counsel to determine whether they are subject to the rule.

Who Is Covered by the Red Flag Rule?

The Red Flag Rule applies to all financial institutions and creditors that hold or maintain "covered accounts," which include (1) an account … primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, and (2) any other account … for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft. [See, e.g., 12 C.F.R. § 222.90(3)].

Financial institutions include banks, mortgage lenders, savings and loan associations, mutual savings banks, credit unions or any other person that, directly or indirectly, holds a transaction account belonging to a consumer. [Id. § 222.90(7); 15 U.S.C. § 1681a(t)]. Creditors include persons or businesses that regularly arrange for the extension, renewal, or continuation of credit as well as "assignee[s] of an original creditor who participate[s] in the decision to extend, renew, or continue credit."

Examples include automobile dealers, mortgage brokers, utility companies, and third-party debt collectors. Although the question of whether a business is covered is very fact-specific, even small businesses like a mom-and-pop hardware store with tabs that customers pay every month could be covered. [15 U.S.C. § 1691a(e); see also 12 C.F.R. § 222.90(5)].

The agencies that created the Red Flag Rule "expect all financial institutions and creditors to evaluate the adequacy of existing policies and procedures and to develop and implement risk-based policies and procedures that detect Red Flags in an effective and comprehensive manner." [72 Fed. Reg. 63,728.]

What Are Red Flags?

To help businesses select appropriate Red Flags for their operations, the agencies provide an extensive list of possible Red Flags that may require further action if and when the company becomes aware of them. The list includes, among others:

• A fraud alert, credit freeze, or address discrepancy that is included with a consumer report or provided by a credit reporting agency
• A consumer report that indicates a pattern of activity which is inconsistent with the history and usual pattern of activity of an applicant or customer
• Documents, applications, or photo identification that appear to have been altered or forged, or give the appearance of having been destroyed and reassembled
• Other information on the identification that is not consistent with readily accessible information on file with the financial institution or creditor, such as a signature card or a recent check
• Receiving personal identifying information that is inconsistent when compared to other such information on file with the financial institution or creditor or provided by the customer, or otherwise inconsistent when compared against external information sources used by the financial institution or creditor
• Receiving personal identifying information that is associated with known fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor
• The Social Security number, address or telephone number that is provided is the same as that submitted by other customers or by an unusually large number of other persons opening accounts
• Shortly following the notice of a change of address for a covered account, the institution or creditor receives a request for a new, additional, or replacement card or a cell phone, or for the addition of authorized users on the account
• A covered account is used in a manner that is not consistent with established patterns of activity on the account. [See, e.g., 12 C.F.R. Supplement A to Appendix J to Part 222.]

California businesses covered by the Red Flag Rule should begin reviewing and preparing their compliance plans today. Consult with counsel to determine whether and how the Red Flag Rule affects your business.

Tanya Forsheit is a litigation partner is the Los Angeles office of the international law firm of Proskauer Rose LLP and is a member of the Firm's Privacy and Data Security Group.