Red Flag Provisions: Identity Theft Prevention

Deb Geister, Director, Fraud Prevention & Compliance Solutions, LexisNexis

November 1, 2008, marked the deadline for compliance with the Red Flag provisions of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) by financial institutions and other creditors. These provisions require organizations to be able to "identify patterns, practices and specific forms of activity that indicate the possible existence of identity theft," and to develop and deploy effective prevention programs.

Adopted in December 2003, FACTA addresses a range of issues related to the use of private data by creditors and the financial services industry. Among other provisions, the act forced credit agencies to allow consumers to obtain a free credit report every twelve months. The act also addressed the problem of identity theft, mandating the secure use of consumer data and establishing the Red Flag rules designed to prevent identity theft.

While the Red Flag rules went into effect on January 1, 2008, with little comment or debate, anecdotal evidence suggests that many financial institutions are not ready. They have yet to make an effort at compliance. In fact, some estimates indicate that only one-third of U.S. financial institutions would have been compliant by the November 1 deadline. However, recently the Federal Trade Commission (FTC) announced that it will not enforce compliance with the Red Flags rules until May 1, 2009, for entities under its jurisdiction. This provides a reprieve for some organizations, specifically state-chartered credit unions and non-financial institutions such as mortgage brokers, mortgage lenders, auto dealers, hospitals, utility companies, and municipalities.

While the FTC’s decision provides an additional six months for those particular organizations to comply with the Red Flag provisions, it does not afford them a get-out-of-jail-free card. Legally, the FTC cannot push back the previous November 1 deadline for any organization; what the FTC is essentially doing is saying they will not prosecute for non-compliance for another six months. As a result, any entity that does not comply by November 1, is still considered non-compliant and is exposed to potential lawsuits from plaintiff attorneys.

Unfortunately any misconceptions that these rules are relatively insignificant or easily complied with, they are exactly that, misconceptions. The Red Flag provisions cast a wide net, encompassing many types of entities within various industries, such as banks, insurance companies, collections agencies, etc. Moreover, many of the definitions within the new rules could greatly expand the scope of compliance. In addition, organizations need to understand if they offer a covered account—defined in this legislation as any consumer account involving multiple payments or transactions - they are subject to these regulations as well.

In order to be compliant, any "financial institution and creditor that holds any customer account, or other account, for which there is a reasonable foreseeable risk of identity theft" must develop an identity theft prevention program. The rules have four principle components:

Identity theft is a costly and destructive issue; business and consumer losses totaled $56.6 billion in 2005 alone. However, as destructive as identity theft can be to a business, the failure to comply with regulations such as the Red Flag rules, designed to mitigate the negative affects of identity theft, can be even more disruptive and costly. In order to avoid potential losses, coupled with regulatory fines, costly investigations and potential lawsuits, it is imperative that all affected institutions quickly deploy effective, compliant programs to implement the most effective identity theft prevention program possible.