New FTC "red flag" rules will apply to more than 2 million businesses
Matthew Wilson
October 13, 2008
The Federal Trade Commission, along with the OCC, FDIC, Federal Reserve and various other federal
agencies, have issued a set of rules and guidelines to combat the proliferation of identity theft.
These new "red flag" rules and guidelines mandate that all financial institutions and creditors --
a category that is broadly defined -- develop and implement an identity theft prevention program
designed to detect, prevent, and mitigate the effects of, identity theft.
The new rules apply to an extremely broad range of businesses that offer certain "covered
accounts" to consumers (approximately 2 million entities according to FTC estimates), including,
automobile dealers, telecommunications providers and hospitals, as well as any other person or
entity that regularly extends, renews or arranges for the continuation of credit to its
customers. Under the rules, the definition of "covered account" is quite broad and will
encompass any consumer account that permits multiple payments or transactions or any other account
that may pose a reasonably foreseeable risk to consumers or businesses from identity theft.
This category will include many healthcare providers given the common post-services payment for
healthcare services.
These rules require that all covered entities develop and implement a written compliance
program that includes each of the following four basic elements: (1) the identification of red
flags, (2) the detection of such red flags, (3) an appropriate response to any such detection, and
(4) the periodic review and updating of the overall program. In addition to the inclusion of
these guidelines, each program must be specifically tailored to the size, nature and complexity of
the applicable business and should consider trends in the marketplace along with any historical
experiences dealing with identity theft. Upon development, each program must be formally authorized
and adopted by the entity's governing body or senior management, and such body or persons are
required to provide on-going administrative oversight of the program's implementation, which
includes staff training, audit compliance, and the generation of annual assessment reports.
While federally regulated financial institutions are subject to oversight by the appropriate
federal banking regulators, the majority of effected persons and entities will fall under the
regulatory wing of the FTC. Accordingly, in the event of any knowing violation of the rules,
the statute provides that the FTC may commence a civil action with respect to any violation and may
seek pecuniary penalties not to exceed $2,500 per infraction. In addition to the prescribed
regulatory enforcement actions, any failure to comply with the rules can also serve as the basis
for private civil and/or class action lawsuits.
Matthew Wilson is an attorney at law at Arnall Golden Gregory LLP.