Applicability of Identity Theft Prevention Regulations
The Federal Trade Commission (FTC) and other federal agencies have been attempting to combat identity theft and protect individuals from the effects of identity theft for years. In an effort to prevent identity theft and mitigate its harm, several federal agencies have jointly drafted identity theft "red flag" regulations which apply to creditors, and "address discrepancy" regulations which apply to users of consumer reports and issuers of credit or debit cards. Compliance with these regulations is mandatory as of May 1, 2008.
The identity theft red flag regulations are potentially applicable to all creditors, even commercial creditors. Business accounts held by a creditor are "covered accounts" under the regulations if (1) they involve a continuing relationship, and (2) there is a "reasonably foreseeable risk" of identity theft to the customer. For example, if a business account permits multiple transactions or payments and personally identifying information of an individual was required to open the account, that account will be a covered account. Past experiences of a creditor with identity theft and reported trends in identity theft may also affect whether there is a reasonably foreseeable risk of identity theft. Additionally, if any company uses credit reports or issues credit or debit cards to consumers, the identity theft regulations also contain requirements regarding what the user or issuer must do in case of an address discrepancy.
Penalties for failing to put reasonable policies in place (and follow them) may be as high as $2,500 per violation. It is important that all creditors assess the applicability of the regulations and, if necessary, put in place the requisite policies and procedures. Since the regulations are new and untested, it is difficult to know what policies the FTC will consider reasonable. However, it seems clear that a failure to have any policies or procedures in place will be cause for enforcement – especially if an incident of identity theft occurs, at which point the "risk" of identity theft will be apparent.
What do the regulations require?
The regulations affect all creditors because, at a minimum, each creditor is expected to periodically evaluate whether it holds any covered accounts. Covered accounts include continuing relationships established by a person for the extension of credit or for deposit whether (1) for personal, family or household purposes and involving multiple payments or transactions, or (2) for which there is a reasonably foreseeable risk to the customer or the creditor from identity theft. To comply, creditors should put a policy in place requiring periodic evaluation of accounts, e.g., an annual evaluation to determine whether any further action is needed. If the creditor determines that it holds any covered account, it should then proceed to create a compliance program. Further, a creditor will not be excused from compliance merely because it is a small business or only maintains a small number of accounts.
The regulations do not require any specific technology, system, or program for the compliance program. Instead, creditors are permitted to tailor their programs to their size, risk, and complexity. However, the initial compliance program should be approved by the creditor's board of directors, a committee of the board, or the equivalent. The compliance program should include written policies and procedures designed to:
1. Identify relevant identity theft red flags;
2. Detect the occurrence of red flag events;
3. Respond appropriately to the occurrence of red flag events; and
4. Ensure periodic updating of the program.
Identification of Red Flags: Identity theft red flags are patterns or practices that indicate the possible existence of identity theft. Red flags may fall into five general categories: (1) alerts or warnings from consumer reporting agencies or fraud detection services, (2) suspicious documents, (3) suspicious personal identifying information (which could include a change of address), (4) unusual or suspicious activity on a covered account, and (5) notice from customers, victims or law enforcement authorities. Each creditor should evaluate these categories and the illustrative examples given in the guidelines and identify those that are relevant to its business.
Detection of Red Flag Events: Once the relevant identity theft red flags are identified, the creditor should put policies and procedures in place to detect the occurrence of the red flags it has identified. Such detection measures could involve electronic monitoring or training of employees who open or monitor accounts. The procedures can be modified to fit the complexity and risk encountered, as well as the size and scope of the creditor's business.
Response to Red Flag Events: Next, policies and procedures regarding the response to the detection of a red flag event must be implemented. The appropriate response could include monitoring the covered account, contacting the customer, changing security codes, closing the covered account, not attempting to collect on the covered account, or even determining that no response is warranted. Many situations may require more than one of these responses or other responses, depending on the circumstances.
Updating the Program: The regulations require creditors to periodically update their policies and procedures as appropriate in light of such factors as their experiences and developments in methods of identity theft and identity theft detection, as well as changes in the type of accounts the creditor offers. To comply, a creditor could put a policy in place requiring it to conduct scheduled reviews of the program, e.g., annually.
Creditors are not permitted to side-step their obligation to comply with the regulations merely by outsourcing services. They are still obligated to provide oversight of the service provider arrangements regarding covered accounts and should contractually require the service provider to have policies and procedures to detect red flags that may arise in performance of the service provider's activities and to take appropriate actions to prevent or mitigate identity theft if a red flag is detected.
Users of Consumer Credit Reports:
Nationwide consumer credit reporting agencies are required to send a Notice of Address Discrepancy to the user of a credit report under certain circumstances. The regulations require action on the part of the user only when the credit reporting agency sends such a notice. The regulations are intended to encourage users of credit reports to ensure that the credit report relates to the intended person when there is an address discrepancy necessitating the notice. Even commercial creditors may be covered under these provisions if there are circumstances where they request credit reports, e.g., if individual credit reports are requested prior to opening a business account for a sole proprietorship.
Users of credit reports are required to put policies in place designed to allow them to "form a reasonable belief" that the credit report they have been given relates to the same person for which they requested the report. Examples of the types of things a user could do to form a reasonable belief include (1) comparing the information on the credit report to the information the user keeps in its records or obtains from third-parties, and (2) verifying information in the credit report with the consumer. The user also has to put in place reasonable policies for reporting addresses to consumer credit reporting agencies who have sent the Notice of Address Discrepancy once the address is confirmed.
Issuers of Credit or Debit Cards:
The provisions concerning credit or debit card issuers require the card issuer to put reasonable policies in place for confirmation of the validity of a consumer's change of address. These provisions are specifically limited to cards issued to consumers, and do not apply to strictly commercial creditors.
How does a company comply with the regulations?
If a company is a creditor, uses credit reports or issues credit or debit cards, it should take steps to comply with the identity theft red flag and address discrepancy regulations before an incidence of identity theft occurs. One example illustrating the steps that a company could take to comply with the regulations is as follows:
(1) Draft a policy which requires the company to:
- annually evaluate whether it holds covered accounts;
- if the evaluation indicates that the company does hold any covered accounts, implement or update reasonable procedures to identify, detect and respond to red flags;
- take reasonable steps to assure that a credit report relates to the person on whom it was requested when a Notice of Address Discrepancy is received; and
- put reasonable policies in place regarding confirmation of a change of address request relating to a consumer's credit or debit card account.
(2) Have the board of directors, committee of the board, or equivalent approve the policy and, if desired, delegate authority to implement and oversee the policy to a senior employee.
(3) Perform an evaluation to determine whether the company holds any covered accounts, and, if so, use the Guidelines that accompany the red flags regulations as a starting point to identify relevant red flags and draft specific, reasonable procedures regarding how the company will detect and respond to the identified red flags.
(4) Train employees who will be affected by the policies and procedures regarding detection and response to red flags or response to address discrepancies.
(5) If any service providers are in a position where they may detect relevant red flags, review the contract with the service provider and, if not already present, request an addendum requiring the service provider to comply with the identity theft red flag regulations.
Since no compliance policy is "one size fits all," Varnum can provide your company with customized advice and assistance to take the steps toward compliance that are reasonable for your company's size, complexity and level of risk.
You May Also Be Interested In
- Facebook, Inc. v. Duguid Limits the Definition of “Autodialer” Under the Telephone Consumer Protection ActBusiness Law Advisory , April 8, 2021
- Data Privacy Advisory , March 5, 2021
- Data Privacy Advisory, January 28, 2021