Red Flags Rule

Overview
The Identity Theft Red Flags Rule, issued in 2007, requires creditors and financial institutions to implement identity theft prevention programs. It is implemented pursuant to the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). The FACT Act amended the Fair Credit Reporting Act (FCRA) by directing the FTC, along with the federal banking agencies and the National Credit Union Administration, to develop Red Flags guidelines. These guidelines require creditors and financial institutions with covered accounts to develop and institute written identity theft prevention programs.

According to the FTC, the identity theft prevention programs required by the rule must provide for:


 * identifying patterns, practices, or specific activities &mdash; known as “red flags” &mdash; that could indicate identity theft and then incorporating those red flags into the identity theft prevention program;
 * detecting those red flags that have been incorporated into the identity theft prevention program;
 * responding to the detection of red flags; and
 * updating the identity theft prevention program periodically to reflect any changes in identity theft risks.

Possible “red flags” could include:

• unusual use of &mdash; or suspicious activity relating to &mdash; a covered account; and • notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts.
 * alerts, notifications, or warnings from a consumer reporting agency;
 * suspicious documents;
 * suspicious personally identifiable information, such as a suspicious address;

The deadline for creditors and financial institutions to comply with the Red Flags Rule was originally set at November 1, 2008. However, many of the organizations affected by the Red Flags Rule were not prepared to institute their identity theft prevention programs by this date. Therefore, the FTC moved the deadline to May 1, 2009, and then further extended the compliance date to November 1, 2009. Most recently, the FTC extended the enforcement date to June 1, 2010, and indicated that extension was, in part, a result of the debate over whether Congress wrote the FACT Act Red Flags provision too broadly by including all entities qualifying as creditors and financial institutions.

The effect that the Red Flags Rule will have on the prevalence of identity theft remains uncertain. One potential effect is that the Red Flags Rule may help creditors and financial institutions prevent identity theft by identifying potential lapses in security or suspicious activities that could lead to identity theft. This could possibly lead to an overall decrease in the number of identity theft incidents reported to the FTC, as well as the number of identity theft cases investigated and prosecuted. Once detected, the Red Flags Rule requires that the creditor or financial institution respond to the identified red flag. One response option that creditors and financial institutions might include in their prevention programs is to notify consumers or law enforcement of data breaches that could potentially lead to the theft of consumers’ personally identifiable information. While notification is not a required element in the identity theft prevention programs, early notification could lead to consumers taking swift action to prevent identity theft or mitigate the severity of the damage that could result if they had not been notified as quickly.

Other questions about the effects of the Red Flags Rule stem not from its possible effects on the prevalence of identity theft, but from its effects on the approximately 11.1 million creditors and financial institutions required to implement the identity theft prevention programs. The FTC estimates the total annual labor costs (for each of the first three years the Rule is in effect) for all creditors and financial institutions covered by the rule to be about $143 million. This financial burden would be absorbed by the responsible creditors and financial institutions.

Further, some entities considered creditors or financial institutions under the Rule have expressed concern that the burden of the rule overlaps with burdens already incurred under other regulations. For example, the American Bar Association (ABA) has expressed concern over whether lawyers are considered “creditors” under the Red Flags Rule because they generally do not require payment until after services are rendered. On October 29, 2009, the U.S. District Court for the District of Columbia ruled that the FTC’s interpretation of the Fair and Accurate Credit Transactions Act of 2003 overreaches, and its application to lawyers is unreasonable.

Further, the American Medical Association has indicated that physicians should be exempt from the Red Flags Rule because of patient privacy and security protections required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In addition, there may be concern that to avoid being considered creditors, some physicians could possibly require full payment at the time of service (rather than allowing deferred payments). This could in turn lead to some patients avoiding potentially necessary treatment if they are unable to pay in full at the time of service; on the other hand, the rule may have no effect on patients seeking medical treatment.

Legislation in the 111th Congress would place limits on the “creditors” and “financial institutions” currently covered by the Red Flags Rule. The actual effects of the Red Flags Rule &mdash; including effects on identity theft rates as well as any indirect consequences &mdash; will not be evident until after full implementation by creditors and financial institutions. The 111th Congress may consider monitoring the effects of the impending Red Flags Rule on subsequent identity theft rates.