Enforcement of Red Flags Rule by FTC Postponed

August 6, 2009

On July 29, 2009, the Federal Trade Commission announced that it was postponing until November 1, 2009 its enforcement of the “Red Flags Rule” (the “Rule”), which may be found at 16 C.F.R. 681. Originally, enforcement of the Rule was scheduled to begin on August 1, 2009. Under the Rule, certain businesses and organizations are required to spot and act on certain activities or “red flags” that are often indicators of identity theft. To comply with the Rule, these businesses and organizations will need to develop and adopt a written “red flags program” to identify and detect “red flags” and ensure that the program is kept up to date in order to minimize damage from identity theft.
Review Definitions Carefully as Many Businesses Are Likely Covered
The Rule was discussed in detail in a Ruder Ware Legal Update dated July 27, 2009. Our discussions to date with a number of clients regarding the Rule indicate that there may be a false sense of security that the Rule applies only to financial institutions and/or only to those businesses that deal directly with consumers. We believe that a proper interpretation of the Rule indicates that it certainly applies to financial institutions and to those businesses that deal directly with consumers but that it also applies to all “creditors” having “covered accounts.”
The Rule defines a “creditor” as a business or organization that regularly:

Extends, renews, or continues credit;
Arranges for someone else to extend, renew, or continue credit; or
Is the assignee of a creditor who is involved in the decision to extend, renew, or continue credit.

Any business or organization that allows payment for goods and services to be made after a purchaser (whether the purchaser is a consumer or a business entity) receives the goods or services is a “creditor” under the Rule. We believe that most businesses will be a “creditor” for the purposes of the Rule.
The Rule also defines a “covered account” as:

An account used mostly for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions and establishes a continuing relationship with the financial institution or creditor. An account used mostly for personal, family, or household purposes will generally have account holders that are individuals. This type of account includes accounts such as credit card accounts, mortgage loans, car loans, consumer leases, margin accounts, cell phone accounts, utility accounts, certificates of deposit, retirement or IRA accounts, trust accounts, or checking or savings accounts.
An account for which there is a foreseeable risk of identity theft, such as a small business or sole proprietorship account, or where the safety and soundness of the financial institution or creditor, including financial, operations, compliance, reputation, or litigation risks, indicate that there is a foreseeable risk of identity theft. This type of account may include accounts where instances of identity theft have occurred in similar accounts (which indicates that there is a foreseeable risk of identity theft) or where the information presented by an account holder is similar to that presented by an individual (such as where a small business or sole proprietorship presents the owner’s information as the information for the business).

If a business or organization is a “creditor,” but does not have any “covered accounts,” the business or organization does not need a red flags program. However, if a business or organization is a “creditor” and has “covered accounts,” the business or organization must develop and implement a written program to identify and address the red flags that could indicate identity theft.
Many businesses which sell goods or services only to other businesses may not satisfy the requirements of subsection 1. of the definition of “covered account”. However, subsection 2. of the definition of “covered account” will be satisfied if there is a “foreseeable risk of identity theft”. This language is quite broad and at this time is undefined through regulatory interpretation or case law. However, we believe that an expansive interpretation of the Rule is appropriate and that most businesses should act as if they will be subject to the Rule.
Identity theft is most often thought of as involving the misappropriation or misuse of “personally identifiable information”. The term “personally identifiable information” has been defined in an Office of Management and Budget (“OMB”) Memorandum from 2007 as “information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.” This definition has been referenced in recent reports which have been prepared by the National Institute of Standards and Technology (“NIST”) and the United States Government Accountability Office (“GAO”).
Identity theft does not only affect individuals. It also is possible that a business could be the victim of identity theft if bank account information and/or other identifying information which is unique to that business is compromised, misappropriated, or misused. Accordingly, any business which utilizes or maintains records of “personally identifiable information” of individuals or businesses could be subject to a “foreseeable risk of identity theft”.
For these reasons, we recommend that most businesses, if they are not otherwise specifically covered by the Rule as a “financial institution”, should anticipate that they will be subject to the Rule as a “creditor” and that they will likely be found to have “covered accounts” if they utilize or maintain records of “personally identifiable information” of individuals or businesses which are subject to a “foreseeable risk of identity theft”.
If you have questions regarding the above, please contact Derek Prestin, the author of this article, or any of the attorneys in the Business Transactions Practice Group of Ruder Ware.

Back to all News & Insights

This document provides information of a general nature regarding legislative or other legal developments, and is based on the state of the law at the time of the original publication of this article. None of the information contained herein is intended as legal advice or opinion relative to specific matters, facts, situations, or issues, and additional facts and information or future developments may affect the subjects addressed. You should not act upon the information in this document without discussing your specific situation with legal counsel.

© 2023 Ruder Ware, L.L.S.C. Accurate reproduction with acknowledgment granted. All rights reserved.