Identity theft has had a crippling effect on more than 9 million Americans, according to the Federal Trade Commission (FTC), and businesses that collect or hold identifying information report millions of dollars in annual losses as a result of these crimes.
New identity theft regulations for creditors — which can include technology retailers, Internet service providers and telecommunications equipment/service companies, among others — come into effect on May 1, 2009.
In order to prevent and properly report identity theft, safeguard data and ensure regulatory compliance, creditors should familiarize themselves with the FTC’s new identity theft red flag regulations as soon as possible.
In response to an increase in consumer identity theft, President George W. Bush signed the Fair and Accurate Credit Transaction Act (FACT) into law on Dec. 4, 2003. FACT added several new provisions to the Fair Credit Reporting Act of 1970, including a chief provision regarding the enhancement of the weapons consumers have in their arsenal for combating identity theft.
On Oct. 31, 2007, the FTC, along with federal banking regulators, took the next step and published a final set of Red Flag regulations that put certain sections of FACT into effect. These regulations required all financial institutions and creditors to develop and implement written red flag identity theft programs no later than Nov. 1, 2008.
However, on Oct. 22, 2008, the FTC announced that it would delay the enforcement of the Red Flag rules by six months, to May 1, 2009, after discovering that a number of institutions, entities and industries subject to the rules, but not generally governed by FTC regulations, remained uncertain about compliance issues. This leaves companies less than six months until covered entities must be in full compliance.
The FTC Red Flag regulations apply to creditors that hold covered accounts. A creditor is defined by FACT as any entity that regularly extends, renews, or continues credit. The final rules define a “covered account” as one used primarily for personal, family or household purposes that involves, or is designed to permit, multiple payments or transactions. Covered accounts also include any other account for which there is a reasonably foreseeable risk of identity theft, either to customers or the creditor.
Creditors must periodically determine whether they offer or maintain covered accounts. Creditors that do must develop and implement written identity theft prevention programs to detect, prevent and mitigate identity theft in connection with such accounts. These programs must be appropriate to the size and complexity of the institution and the nature and scope of its activities. They must also address the changing nature of identity theft risks. The development of these programs is not a one-time event — it is a dynamic, ongoing process.
The Identity Theft Prevention Program
An identity theft program must be risk-based. Relevant red flags for covered accounts should be identified and incorporated into it. The program must then be able to detect any red flags that occur, respond to them appropriately and ensure that the red flags themselves are updated periodically to reflect changes in identity theft risks to customers, creditors and any service providers or vendors with which the institution does business.
Written policies and procedures must be approved by the board of directors or an appropriate committee thereof. For a creditor without a board, they must be approved by a management employee at the level of senior vice president or above. Lower-level employees may not oversee these programs.
Red flags are a pattern of specific activity that indicates the possible existence of identity theft. Supplement A to Appendix J of the Red Flag Regulations details 26 possible indicators of identity theft divided into five sections including the following:
- Alerts from a consumer reporting agency
- Suspicious documents
- Suspicious personal information
- Unusual/suspicious activity related to the covered account
- Notice from customers, victims, law enforcement authorities, or others regarding possible identity theft
In identifying relevant red flags for covered accounts, an institution must consider the types of accounts it offers or maintains and how it opens and provides access to these accounts. Creditors should be aware that any previous experiences with or incidents of identity theft can also be considered potential Red Flags.
Considerations for Technology and E-Commerce Companies
The extension of the Red Flag regulations by the FTC is welcome news to many businesses that are late in developing and implementing their identity theft prevention programs. However, many business leaders are still unaware that their companies are required to comply with the Red Flag regulations.
Technology firms such as HP and Dell, which offer credit to their customers, are also required to prevent and detect identity theft under FACT. Considering that so many consumers have recently begun to purchase goods and services via lines of credit extended by technology firms, the amount of confidential information these companies must now protect has grown exponentially. To prevent financial or reputational damage to the firm, implementing an effective identity theft prevention program must become a top priority.
There is also a growing concern among online merchants that FACT will eventually be expanded to cover e-commerce businesses as well. The majority of fraud committed via Internet sales is generated through the use of stolen credit cards, wherein a perpetrator will use that stolen credit card to purchase goods and have them shipped to an address different than the billing address.
In the near future, the FTC may very well require all e-commerce businesses to monitor and possibly block unusual transactions — or “red flags” — of identity theft/fraud, such as transactions with address discrepancies. Although these types of businesses do not currently fall under the requirements of FACT, e-commerce companies may want to proactively begin considering possible means of preventing and detecting identity theft and fraudulent transactions conducted via the Internet, before their businesses are subjected to federal regulation.
The implementation of the Red Flag regulations associated with FACT have ushered in a new federal focus on cybercrime and have far-reaching effects on how companies do business. The penalties that firms face for noncompliance can be severe, and managing the associated risks presents yet another challenge for businesses covered under these new regulations.
The requirement to have a board-approved identity theft prevention program designed and implemented in such short order is an enormous undertaking. The absence of a trained staff to carry out these duties and/or existing internal controls can cause the detection and prevention of identity theft by a creditor to be both difficult to manage and costly. Federal regulators are already inquiring about the status of creditors’ identity theft prevention programs. Creditors must therefore begin to take immediate measures to formulate their action plans in order to comply with the May 1, 2009 deadline.
Tim Mohr is a partner in the investigations practice of BDO Consulting, a division of BDO Seidman, LLP, which provides litigation, investigation, restructuring and risk advisory services to a wide range of publicly traded and privately held companies. Bob Pearlman is a partner in the technology practice at BDO Seidman.