Fighting identity theft—that is of utmost importance to the FTC. For the last nine years, identity theft has topped the list of consumer complaints received by the FTC. The FTC views the Red Flags Rule as a crucial weapon in the fight against identity theft. That is partially what’s behind the FTC’s second moratorium on enforcement.
On April 30, the FTC announced that it was granting an additional three month forbearance on enforcement. The agency will begin enforcing the Red Flags Rule on August 1, 2009. Note that enforcement for entities regulated by the federal banking agencies (FRB, OCC, FDIC, OTS, or the NCUA) began last year on November 1, 2008. The Red Flags Rule requires “financial institutions” and “creditors” with “covered accounts” to develop and implement a written identity theft prevention program (ITPP).
There has been much controversy and debate about who is a “creditor.” The Red Flags Rule adopts the Equal Credit Opportunity Act’s definition of “creditor,” which is “any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew or continue credit.” “Credit” means “the right granted by a creditor to a debtor to defer payment of debt or to incur debt and defer its payment or to purchase property or services and defer payment therefor.”
The FTC has cast a very wide net of who meets the definition of creditor for purposes of the Rule. Any entity that defers payment for goods or services–—that is, any entity that does not require payment up front but instead bills a consumer after providing goods or services is a creditor. This means that hospitals, doctors, and lawyers, as well as local restaurants, corner convenience stores and cleaners are creditors if they let their customers, “run a tab.” Entities not traditionally considered “creditors” are just realizing that they are subject to the Rule, wondering what it means to comply with the Rule, and anxious about what their ITPP should look like.
The FTC estimates that there are eleven million “creditors” subject to the Rule.
This is precisely why the FTC has delayed enforcement—or at least it is one of the principle reasons. The moratorium gives entities that didn’t know they were creditors more time to comply. In addition, the FTC plans to publish a template for the required written ITPP to help the non-traditional creditors. Reports are that the template will be a “fill in the blank” document geared toward entities with a low risk of identity theft. The template will likely be published in late May or early June, giving entities ample time to come into compliance before the August 1 enforcement date.
In addition to providing entities more time to comply, this delay may be a call for help to Congress. The FTC has been widely criticized for misinterpreting the definition of “creditor.” In its April 30th Release, the FTC invited Congress to weigh in on this fundamental issue. The FTC Chairman, Jon Leibowitz, is quoted as saying, “Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further.” If Congress does not act, don’t be surprised if the FTC declares that they got it right—that they captured the essence of what Congress intended in § 114 of the Fair and Accurate Credit Transaction Act. If Congress does act and corrects the FTC by refining, clarifying or narrowing the definition of creditor, then the controversy is resolved.
What about enforcement? The FTC, unlike the federal banking regulators, does not conduct examinations; rather it is a law enforcement agency. As such, it will not give any “pre-approvals” or “in compliance” report cards. What the FTC will do, however, is reveal what non-compliance looks like. Joel Winston, Associate Director for Privacy and Identity Protection in the FTC’s Bureau of Consumer Protection, has stated publicly that the FTC has not formulated an enforcement plan. He expects, however, that it will follow the same course as the FTC’s path on data security. Entities that have demonstrated good faith efforts to comply with the Rule will not be targeted; nor will the FTC prosecute based on “technicalities.” Instead, the FTC will pursue and prosecute entities that have grossly violated or completely ignored the Rule. In addition, don’t expect the FTC to sue immediately. At first, it will likely attempt to resolve compliance issues informally.
The FTC does have a head start on where to look for compliance weaknesses when it begins enforcement. Financial institutions have been subject to examination and enforcement since November 1, 2008. Earlier this spring a Senior Policy Analyst from the FDIC spoke about the Red Flags Rule at a conference in Washington, D.C. He shared with the audience the following three areas that the FDIC found lacking or in need of improvement: (1) the inclusion of “covered accounts,” (2) oversight of service providers, and (3) training. Overall, however, the FDIC found most financial institutions compliant. The identification of covered accounts is a basic element and the first step in developing an ITPP. Oversight of service providers and training are required components of the administration of an ITPP.
How can covered entities reduce the chances for enforcement actions? Both nontraditional and traditional creditors should keep in mind that as a fundamental matter, the Red Flags Rule emphasizes that the ITPP is risk-based. An ITPP will comply if it is appropriate to the size and complexity of the covered entity and to the nature and scope of the entity’s activities. The FTC is “marketing” this element extensively—likely to counterbalance and take the sting out of applying the Rule so broadly to industries and entities not traditionally deemed creditors. The FTC staff has publically asserted that developing an ITPP is not cause for panic. If a covered entity has a low risk profile, its program can be streamlined. If a covered entity has a higher risk profile, it likely already has a fraud detection program. And, if so, such program is the starting place for developing the ITPP.
The FTC has developed some good resources to help covered entities create and implement an ITPP. Last year in June 2008, the FTC published an “Alert,” available at http://www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm, to inform businesses about the Rule and how to comply. On April 2 of this year, the FTC launched its Red Flags Rule website. The website, available at http://www.ftc.gov/redflagsrule, includes the publication, Fighting Frauds with the Red Flags Rule, aimed at helping entities implement identity theft prevention programs. Soon, the FTC will be publishing an ITPP template.
Although the template the FTC plans to publish may work for some, the consumer credit industry should be very cautious about using it as its complete ITPP. While it will certainly be a useful resource, it will probably not be sufficiently robust to address the needs of an entity with moderate to higher risks of identity theft. Covered entities should be mindful that even the FTC has said that the template ITPP is suited for entities with a low risk profile. A bit of irony may result from the publication of the ITPP template. Fill-in-the-blank documents lend themselves to being completed and promptly filed away on a shelf, never to be revisited or even remembered. Such a result would clearly be contrary to the very purpose for the Rule. The Rule requires the ITPP to be adaptable, frequently reevaluated and continuously updated as methods of identity theft are detected and changed.
In addition to creating the template, the FTC has also concentrated many resources specifically to educating non-traditional “creditor” industries, speaking at seminars, meeting with industry associations, conducting its own outreach campaign, and telling covered entities not to panic. Expect the FTC to continue this campaign in the short-term. However, once the dust settles and newly designated “creditors” have had sufficient time to comply, enforcement actions will follow.
A covered entity needs to make a good faith effort to comply with the Rule, and good faith means more than simply establishing an ITPP. It requires that the ITPP be kept fresh and up to date. The Red Flags Rule requires an entity to periodically identify covered accounts. The ITPP must be updated periodically to reflect changes in identity theft risks to consumers and to the safety and soundness of the covered entity. Of course, follow through is also necessary. That means acting in accordance with the ITPP’s policies and procedures. If identity theft does occur, it doesn’t mean the ITPP is not compliant. It may mean, however, that the ITPP needs updating, particularly if there is a pattern or practice of identity theft developing.
How will problems arise? How will the FTC identify targets for enforcement? What should covered entities be particularly mindful of? In addition to addressing the items previously noted, a covered entity should be very cautious with respect to its reporting of information to consumer reporting agencies. One of the ways the FTC will identify targets is keeping a close eye on consumer complaints. Expect victims of identity theft frustrated with unsuccessful attempts to clean their consumer reports to file complaints with the FTC. What does that mean? Part of a covered entity’s response should be to mitigate the effects of identity theft—this means correcting any misinformation previously reported about the victim and not reporting, or re-reporting, incorrect information. In addition, if a Red Flags Rule investigation will not be resolved quickly, the covered entity may want to consider suspending all reporting to consumer reporting agencies with respect to the potential victim. That way, if identity theft is confirmed, there’s no misinformation to correct.
After two delays in the enforcement timeline, the FTC will not tolerate non-compliance, particularly gross non-compliance. The privacy and data security enforcement actions are a good illustration of this. The FTC has brought 26 law enforcement actions since 2001 for failures to maintain reasonable procedures to protect consumers’ personal information.
The Red Flags Rule is intended to fight identity theft. Keeping this purpose in mind while developing, executing and updating the ITPP, will help covered entities ensure compliance with the Red Flags Rule and avoid enforcement actions.
Patty Covington is a partner in the Maryland office of Hudson Cook, LLP. Basis Points readers can reach Patty at 410.865.5409 or by email at pcovington@hudco.com.