FTC Enforcement of Identity Theft Red Flags Rule for Financial Institutions and Creditors Delayed Until May 1, 2009

October 23, 2008

The Federal Trade Commission (“FTC”) announced Wednesday that it will delay enforcement of the new Red Flags Rule (the “Rule”) until May 1, 2009. Enforcement was originally set to begin on the November 1, 2008 compliance date, but after receiving hundreds of inquiries, the FTC elected to suspend enforcement to allow financial institutions and creditors additional time in which to develop and implement written identity theft programs (“Programs”). During the FTC's outreach efforts, the Commission found many industries confused and uncertain about their coverage under the Rule. The FTC’s announcement does not affect enforcement of the original November 1, 2008 deadline by the Department of the Treasury, Federal Reserve System, Federal Deposit Insurance Corporation, and National Credit Union Administration. Accordingly, institutions not under the purview of the FTC must be in compliance by November 1, 2008. The FTC Rule mandates all “financial institutions” and “creditors” that maintain any “covered accounts” to develop and implement a written, boardapproved program that identifies and detects the relevant warning signs, or “red flags,” of identity theft. The Red Flags Rule contains broad definitions of “financial institutions” and “creditors,” and companies must take a close look at the Rule to determine whether it applies.

What Is the Red Flags Rule and to Whom Does It Apply?

The Red Flags Rule was passed as part of the Fair and Accurate Credit Transactions Act in 2003 and furthers the FTC’s campaign to protect consumers from identity theft. Under the Rule, financial institutions and creditors that offer or maintain “covered accounts” must develop and implement an identity theft prevention program for combating identity theft. A “covered account” is (1) an account primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions, or (2) any other account for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft.

How Does the Rule Define “Creditor” and “Financial Institution”?

The defi nitions of “creditor” and “financial institution” are expansive. Under the Rule, a “creditor” is any entity or person who regularly arranges for, extends, renews, or continues credit. The Rule further defines “credit” as the right granted by a creditor to a debtor to defer payment of debt. A “creditor” therefore includes any entity that regularly offers payment plans or permits payment in arrears. A “financial institution” is “a State or National bank, a State or Federal savings and loan association, a mutual savings bank, a State or Federal credit union, or any other person that, directly or indirectly, holds a transaction account belonging to a consumer.” A “Transaction Account” is, in turn, defined as “a deposit or account on which the depositor or account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the purpose of making payments or transfers to third persons or others. Such term includes demand deposits, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.”

The broad scope of the Rule requires all banks, credit card companies, mortgage brokers, utility companies, hospitals, non-profits, government entities, professional service providers, and nearly every financial institution and retail organization to examine their operations carefully to determine if the Rule applies.

What Are the “Red Flags” of Identity Theft?

The Rule defines a red flag as “a pattern, practice, or specific activity that indicates the possible existence of identity theft.” The Rule does not specifically identify relevant red flags, but rather opts to allow covered entities to determine relevant red flags based on (1) the types of covered accounts offered or maintained; (2) the methods provided to open covered accounts; (3) the methods provided to access covered accounts; and (4) previous experiences with identity theft. Thus, creditors and financial institutions will need to review their databases and security programs to analyze possible points of entry. Creditors and financial institutions will also need to assess any previous warnings of identity theft, whether competitors have experienced identity theft, whether there has been unusual account activity, and whether consumer reporting agencies have issued any fraud detection alerts. The Rule itself provides covered entities with a list of several identity theft red flags for consideration. Accordingly, entities should examine the examples provided in the Rule and determine if any apply.

What Type of Program Does the Rule Require?

Organizations subject to the Rule must institute a written, board-approved identity theft program that provides a means for identifying, detecting, preventing, and mitigating theft of their customers’ personal information. More specifically, subject financial institutions and creditors must have Programs that allow them to (1) identify relevant patterns, practices, and specific forms of activity that are “red flags” signaling possible identity theft and incorporate those red flags into the Program; (2) detect red flags that have been incorporated into the Program; (3) respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and (4) ensure that the Program is updated periodically to reflect changes in risks of identity theft. An effective Program will necessarily include notice procedures that the organization follows in the event of a data breach. The notice procedures should include information regarding what state and federal authorities to contact in the event of a breach, what consumer notifications are required, the mandatory content of any consumer notification, and information for consumers on how they can ensure the security of their identity after a potential breach has been detected.

The Rule also compels board approval of the initial written Program; ensuring oversight of the development, implementation, and administration of the Program; training for staff; and oversight of any service providers. Covered entities are permitted to tailor their Programs to their operations so long as the Program is appropriate to the size and complexity of the creditor or financial institution and the nature and scope of its activities. Companies should therefore consider the types of customer information stored. If a covered entity maintains background personal information in addition to social security number and bank account information, then the Program must account for the importance of that information and identity thieves’ ability to use it for improper purposes. Companies should further consider how the information is maintained, whether the data is segregated into different databases, whether it is encrypted, and how it is encrypted. Analysis of existing processes and procedures that control reasonably foreseeable risks to customers’ identity may be useful, as the Rule permits covered entities to incorporate such procedures into the newly developed Program.

What Oversight is Required Over Service Providers?

Organizations that engage service providers must ensure that the providers conduct their activities in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. If a financial institution employs a thirdparty billing provider to handle customer billing accounts and that third-party loses customers’ personal information, the financial institution may be subject to civil monetary fines and enforcement actions if it failed to develop proper oversight programs under its identity theft program. To comply with the Rule, the financial institution would need to ensure that the third-party billing provider has its own reasonable policies and procedures in place designed to detect, prevent, and mitigate the risk of identity theft. Alternatively, the financial institution could contractually mandate the service provider to adhere to its Program in conducting any business on behalf of the financial institution.


Organizations are encouraged to review the Red Flags Rule and analyze any processes or procedures currently in place. All organizations present a unique set of customers, security needs, and variable risks. The size and scope of an organization and the nature of its business will determine what security measures are appropriate. Taking an objective hard look at an organization is step one in avoiding FTC enforcement action, ensuring the continued patronage of customers, and protecting customers from the very serious risks of identity theft.

View PDF version of this OnPoint.

Subscribe to Dechert Updates