April 20, 2009 - Starting May 1, 2009, the FTC will enforce its new "Red Flags Rules." These rules require many local governments, including housing authorities, utility districts, hospital and universities to implement a customized program to reduce identity theft. If the Red Flag Rules apply to your organization, you need to ensure that you have implemented a reasonable program to detect and respond to signs of identity theft.
Who Must Create A Program?
The Red Flags Rules apply to any entity that (1) extends credit, and (2) maintains or offers any consumer account that (a) is used primarily for personal or household purposes, and (b) involves multiple payments or a reasonably foreseeable risk of identity theft harm to the consumer.
The Red Flag Rules likely apply to governmental entities that maintain customer billing accounts that permit the customer to pay after the service has been rendered, such as a utility or clinic. The Rules would also likely apply to an agency that makes or arranges for loans to an individual, such as through a student loan account. The Rules apply only to these covered accounts. They do not apply to other records such as patient treatment records.
What Do the Rules Require?
If the Rules apply to your entity, then you must implement a
customized program for the covered accounts. The program must
include written policies and procedures to do these three
things:
(1) Create a list of "Red Flag" warning signs that
identity theft may be happening in a consumer account or account
application. For example:
- You receive a complaint about a covered account from a consumer, provider, law enforcement agency, or credit bureau.
- A new patient presents an obviously-altered ID or information that is inconsistent with the existing account.
- A student requests large additional loans disbursed to a new
bank account.
The Rules include a sample list of 26 possible Red Flags, as a starting point for generating your entity's list. See http://edocket.access.gpo.gov/cfr_2009/janqtr/pdf/16cfr681AppA.pdf.
(2) Detect Red Flags when they happen in a covered account.
(3) Respond appropriately when a Red Flag is detected.
Under the Rules, the plan must include the following types of
policies and procedures in order to accomplish those three
goals:
- Training for customer service and other relevant staff;
- Methods to require compliance by outsourced account managers or service providers;
- Program oversight by senior management or a board committee; and
- Annual internal compliance reports.
Each entity's Red Flags and program will depend on the types of accounts and the nature and size of the entity. Various entities have created Red Flags policies that you can consider adapting for your own use, such as http://www.aha.org/aha/advocacy/compliance/redflags.html. Foster Pepper did not draft this example and expresses no opinion as to its suitability for your use.
How Are The Rules Enforced?
The Rules are enforced by the FTC. Enforcement is likely to be driven by consumer complaints. The FTC can issue cease and desist orders after a hearing, and in the event of a violation of such an order, may sue for up to $10,000 per day of violation. See 15 U.S.C. §§ 45, 1681s,
Where Can I Find Out More?
The FTC has general guidance at http://www.ftc.gov/bcp/edu/microsites/redflagsrule/index.shtml. The Rules are codified at 16 C.F.R. § 681.2 & Appendix A.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
