FTC Red Flags Rule Enforcement Delay -"What Red Flags Rules?"
On October 22, 2008 the Federal Trade Commission (FTC) announced a six month extension, to May 1, 2009, for entities under its jurisdiction to comply with the "Red Flags" rules (16 CFR 681.1) adopted on November 7, 2007. The original compliance deadline was November 1, 2008, and the extension applies only entities under FTC jurisdiction. Banks and other financial institutions regulated by the Federal Reserve, the Office of Thrift Supervision (OTS), the Office of the Comptroller of the Currency (OCC), the National Credit Union Administration (NCUA), or the Federal Deposit Insurance Corporation (FDIC) are still subject to the November 1, 2008 deadline.
The Red Flags rules require, among other things, that covered entities: (1) assess what risks of identity theft are involved in their services or products, (2) determine what circumstances or behaviors could be signs of identity theft-related activity involving the services or products (i.e., red flags), and (3) adopt a written "identity theft prevention program" based on that assessment and the potential "red flags" of identity theft. These requirements are in addition to, or supplementary to, existing Customer Identification Program (CIP) or other information security, fraud prevention or anti-money laundering programs an entity may have or be required to have under other regulation. In other words, while a covered entity may have a good start from previous information security, anti-fraud and anti-money laundering efforts and programs, a written program addressed specifically to compliance with 16 CFR 681.1 must be adopted after the analysis specified in the regulation.
The FTC discovered during outreach and education attempts after adoption of the regulation that many of the entities subject to the Red Flags rule were not aware that such a rule existed, much less that they were subject to it, or even that they were subject to FTC jurisdiction at all. Since many of those entities became aware of the requirements too late to put a compliant program in place prior to the original deadline, the FTC extended it.
FTC published guidance to date has probably contributed to any confusion that exists, since only a lawyer could love the subtleties of the explanations and examples. For instance, in guidance published in June, 2008 (http://www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm), the FTC explains that "financial institutions" and "creditors" with "covered accounts" are subject to the regulation. "Financial institutions" are defined as the usual suspects (banks, thrifts etc.) but also "any other entity that holds a 'transaction account' belonging to a consumer." A transaction account is defined as "a deposit or other account from which the owner makes payments or transfers." As examples, the guidance lists checking accounts, NOW accounts, savings deposits subject to automatic transfer, and share draft accounts. Maybe it's just me, but if the coverage of the Red Flags rules is in fact very broad, which it is, it was not helpful to use only examples of types of transaction accounts offered only by traditional financial institutions, and my guess is that the examples hurt more than they helped.
As one example, I wonder if start-up companies seeking to utilize network-branded prepaid cards as delivery vehicles for value-added services in the health care field (or any other field) understand that they could have Red Flags compliance responsibilities to consider. A prepaid card account could be a transaction account under the broad definition of the term. Although the prepaid card is issued by a financial institution, if it is marketed and distributed by the company as an agent of the bank, the obligation for compliance may be the agent's (and the issuing bank would probably insist). Further, any written program adopted in compliance with the Red Flags rule must address how to ensure compliance by any third party to whom any part of the business is outsourced. Since outsourcing is a common practice in the payments industry, this requirement also will require attention. Of course, just for amusement, there is in the prepaid cards industry the question of exactly who is the outsourcer and who is the outsourcee, so you can't say this isn't fun.
If there is any comfort to share, it is that the FACTA legislation that created the Red Flags requirements seems to expressly bar any private (i.e. consumer) right to sue for violations of the Red Flags requirements (although a drafting glitch in the legislation has already caused different courts to come to different conclusions on this). Enforcement will be by the FTC and possibly state attorneys general.
The Red Flags rules require, among other things, that covered entities: (1) assess what risks of identity theft are involved in their services or products, (2) determine what circumstances or behaviors could be signs of identity theft-related activity involving the services or products (i.e., red flags), and (3) adopt a written "identity theft prevention program" based on that assessment and the potential "red flags" of identity theft. These requirements are in addition to, or supplementary to, existing Customer Identification Program (CIP) or other information security, fraud prevention or anti-money laundering programs an entity may have or be required to have under other regulation. In other words, while a covered entity may have a good start from previous information security, anti-fraud and anti-money laundering efforts and programs, a written program addressed specifically to compliance with 16 CFR 681.1 must be adopted after the analysis specified in the regulation.
The FTC discovered during outreach and education attempts after adoption of the regulation that many of the entities subject to the Red Flags rule were not aware that such a rule existed, much less that they were subject to it, or even that they were subject to FTC jurisdiction at all. Since many of those entities became aware of the requirements too late to put a compliant program in place prior to the original deadline, the FTC extended it.
FTC published guidance to date has probably contributed to any confusion that exists, since only a lawyer could love the subtleties of the explanations and examples. For instance, in guidance published in June, 2008 (http://www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm), the FTC explains that "financial institutions" and "creditors" with "covered accounts" are subject to the regulation. "Financial institutions" are defined as the usual suspects (banks, thrifts etc.) but also "any other entity that holds a 'transaction account' belonging to a consumer." A transaction account is defined as "a deposit or other account from which the owner makes payments or transfers." As examples, the guidance lists checking accounts, NOW accounts, savings deposits subject to automatic transfer, and share draft accounts. Maybe it's just me, but if the coverage of the Red Flags rules is in fact very broad, which it is, it was not helpful to use only examples of types of transaction accounts offered only by traditional financial institutions, and my guess is that the examples hurt more than they helped.
As one example, I wonder if start-up companies seeking to utilize network-branded prepaid cards as delivery vehicles for value-added services in the health care field (or any other field) understand that they could have Red Flags compliance responsibilities to consider. A prepaid card account could be a transaction account under the broad definition of the term. Although the prepaid card is issued by a financial institution, if it is marketed and distributed by the company as an agent of the bank, the obligation for compliance may be the agent's (and the issuing bank would probably insist). Further, any written program adopted in compliance with the Red Flags rule must address how to ensure compliance by any third party to whom any part of the business is outsourced. Since outsourcing is a common practice in the payments industry, this requirement also will require attention. Of course, just for amusement, there is in the prepaid cards industry the question of exactly who is the outsourcer and who is the outsourcee, so you can't say this isn't fun.
If there is any comfort to share, it is that the FACTA legislation that created the Red Flags requirements seems to expressly bar any private (i.e. consumer) right to sue for violations of the Red Flags requirements (although a drafting glitch in the legislation has already caused different courts to come to different conclusions on this). Enforcement will be by the FTC and possibly state attorneys general.
Comments