UPDATE: Enforcement of Red Flags Rules to Combat Identity Theft Set to Begin November 1, 2009

Identity theft creates serious problems for both consumers and businesses. For certain businesses, the enforcement of federal rules designed to help stop identity theft is set to begin in November. Failure to abide by the rules can result in fines and expose those businesses to civil litigation.

Starting November 1, 2009, the Federal Trade Commission (FTC) is scheduled to begin enforcement of the “Red Flags Rules.” This means that creditors and financial institutions who have not already done so need to implement written programs designed to detect, prevent, respond to, and mitigate instances or activities that could indicate identity theft.

These Red Flags Rules are part of the Fair and Accurate Credit Transactions Act (FACTA) of 2003 and apply specifically to creditors and financial institutions. The definition of “creditor” under federal law includes: any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not, in and of itself, make an entity a creditor. Examples of creditors include automobile dealers, mortgage brokers, finance companies, utility companies and telecommunications companies. Financial institutions, as defined, include entities that offer accounts that enable consumers to write checks or to otherwise make payments to third parties, such as with negotiable instruments or telephone transfers.

The required Red Flags Programs should provide for identification, detection, and responses to patterns, practices, or specific activities that could indicate identity theft. These Programs must be appropriate for the size and complexity of the financial institution or creditor and the nature and scope of its activities. Although the FTC has delayed enforcement of the Red Flags Rules until November 1, 2009, the Rules went into effect on November 1, 2008. Guidelines have been issued, as well as a supplement which provides illustrative examples of 26 categories of possible Red Flags. Additional information is available on the FTC website, click here. However, companies may consider hiring an attorney or consultant to draft their Red Flags Programs and help with training and implementation.

Failure to establish and implement Red Flags Programs, including the written identity theft prevention plan, may expose creditors and financial institutions to possible civil litigation should an identity theft take place or if personal identifying information is stolen. There are also FTC fines associated with these Red Flags Rules and strict enforcement is anticipated.

For more information, please contact Edward J. Kelleher, at (856) 354-3113. Ed is a Partner in Archer’s Litigation Services Department and a member of the firm’s Commercial Collections & Consumer Litigation Practice group.


DISCLAIMER: This client advisory is for general information purposes only. It does not constitute legal advice, and may not be used and relied upon as a substitute for legal advice regarding a specific legal issue or problem. Advice should be obtained from a qualified attorney licensed to practice in the jurisdiction where that advice is sought.