The Federal Trade Commission’s Red Flag Rule Requires Utilities and Telecommunications Companies to Establish Identity Theft Prevention Programs by May 1, 2009

March 16, 2009

The Red Flag Rule issued by the Federal Trade Commission (“FTC”) under the Fair and Accurate Credit Transaction (FACT) Act of 2003 requires that all creditors, including utilities and telecommunications companies, develop and implement a written identity theft prevention program. The final deadline for full compliance is May 1, 2009.

Who Must Comply?

The Red Flag Rule applies to all creditors with covered accounts.

A creditor is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Creditors include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies.

A covered account is an account used mostly for personal, family or household purposes, that involves multiple payments or transactions. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. A covered account is also an account for which there is a foreseeable risk of identity theft – for example, small business or sole proprietorship accounts.

What is a Red Flag?

If a creditor determines that it maintains covered accounts for customers it is required to develop a written program that identifies and detects the relevant warning signs of identity theft that would indicate the possible existence of identity theft associated with those covered accounts. These are known as Red Flags.

A Red Flag is a pattern, practice, or specific activity that indicates the possible existence of identity theft.

A supplement to the Red Flag Rule identifies 26 possible Red Flags as examples that creditors should use as a starting point in analyzing Red Flags that would apply to them. The examples of Red Flags fall into the following five categories:

What Are the Required Components of an Identity Theft Prevention Program?

After the creditor has identified the Red Flags that would indicate the possible existence of identity theft in its covered accounts, its identity theft prevention program must describe appropriate responses that would prevent and mitigate the crime. The program must be approved by the Board of Directors, managed by the Board of Directors or senior employees of the financial institution or creditor, include appropriate staff training, and provide for oversight of any service providers.

The Red Flag Rule is flexible and provides all creditors the opportunity to design and implement a program that is appropriate to their size and complexity, as well as to the nature of their operations.

An identity theft prevention program must include reasonable policies and procedures to:

Identify relevant Red Flags. In identifying the Red Flags, a creditor must consider the risk factors that it faces for identity theft, as well as the examples of specific Red Flags that are identified in the Red Flag Rule.
Detect the relevant Red Flags. For example, a creditor may want to establish procedures to obtain identifying information about, and to verify the identity of, a person opening a covered account.
Respond appropriately to any Red Flags that are detected.
Update the program as necessary based on changes in risks to customers and the creditor’s experiences with identity theft.

Dorsey & Whitney LLP has created identity theft prevention programs customized to meet our client’s needs. Please contact one of the lawyers in the panel if you would like further information on the Red Flag Rule or if you have any questions on the program.