New FTC "red flag" rules will apply to more than 2 million businesses

Matthew Wilson

October 13, 2008

The Federal Trade Commission, along with the OCC, FDIC, Federal Reserve and various other federal agencies, have issued a set of rules and guidelines to combat the proliferation of identity theft. These new "red flag" rules and guidelines mandate that all financial institutions and creditors -- a category that is broadly defined -- develop and implement an identity theft prevention program designed to detect, prevent, and mitigate the effects of, identity theft.

The new rules apply to an extremely broad range of businesses that offer certain "covered accounts" to consumers (approximately 2 million entities according to FTC estimates), including, automobile dealers, telecommunications providers and hospitals, as well as any other person or entity that regularly extends, renews or arranges for the continuation of credit to its customers.  Under the rules, the definition of "covered account" is quite broad and will encompass any consumer account that permits multiple payments or transactions or any other account that may pose a reasonably foreseeable risk to consumers or businesses from identity theft.  This category will include many healthcare providers given the common post-services payment for healthcare services.    

These rules require that all covered entities develop and implement a written compliance program that includes each of the following four basic elements: (1) the identification of red flags, (2) the detection of such red flags, (3) an appropriate response to any such detection, and (4) the periodic review and updating of the overall program.  In addition to the inclusion of these guidelines, each program must be specifically tailored to the size, nature and complexity of the applicable business and should consider trends in the marketplace along with any historical experiences dealing with identity theft. Upon development, each program must be formally authorized and adopted by the entity's governing body or senior management, and such body or persons are required to provide on-going administrative oversight of the program's implementation, which includes staff training, audit compliance, and the generation of annual assessment reports.

While federally regulated financial institutions are subject to oversight by the appropriate federal banking regulators, the majority of effected persons and entities will fall under the regulatory wing of the FTC.  Accordingly, in the event of any knowing violation of the rules, the statute provides that the FTC may commence a civil action with respect to any violation and may seek pecuniary penalties not to exceed $2,500 per infraction.  In addition to the prescribed regulatory enforcement actions, any failure to comply with the rules can also serve as the basis for private civil and/or class action lawsuits.

Matthew Wilson is an attorney at law at Arnall Golden Gregory LLP.

Related Content:

• Business schools alter their approach
• Digital marketing strategies for small business
• No time to throw up your hands and cry 'uncle'
• ADA amendments reflect Congressional intent

---