Privacy & Information Security Law Blog

In May 2013, the Federal Trade Commission released a new guide entitled Fighting Identity Theft with the Red Flags Rule: A How-To Guide for Business (the “Guide”) to help businesses and organizations determine whether they are subject to the FTC’s Red Flags Rule (“Red Flags Rule”) and how to meet the Rule’s requirements. The FTC’s Guide includes information regarding what types of entities must comply with the Red Flags Rule, a set of FAQs, and a four-step process to achieve compliance.

As we previously reported, on November 30, 2012, the FTC issued an interim final rule (“Interim Final Rule”) that limited the application of the Red Flags Rule by narrowing the definition of “creditors” to make it consistent with the Red Flag Program Clarification Act of 2010. As initially promulgated in 2007, the Red Flags Rule’s broad definitions of “financial institutions” and “creditors” were the subject of confusion and controversy that led to Congressional clarification in 2010.

The Guide outlines a two-step analysis to determine if an entity must comply with the Red Flags Rule. According to the Guide, “[t]he determination isn’t based on the industry or sector, but rather on whether a business’ activities fall within the relevant definitions. A business must implement a written program only if it has covered accounts.” The first step consists of assessing if the business falls within the Red Flags Rule’s definitions of a “financial institution” or “creditor.” The second step requires a determination as to whether the “financial institution” or “creditor” has “covered accounts” as that term is defined in the Red Flags Rule. The Guide provides that, as part of the assessment, organizations should look “at existing accounts and new ones” as well as both categories of accounts that are covered.

The FAQs contained in the Guide provide additional information on the applicability of the Red Flags Rule. Some of the questions contained in the FAQs include:

• What if I occasionally get credit reports in connection with credit transactions?
• In my legal practice, I often make copies and pay filing, court, or expert fees for my clients. Am I “advancing funds”?
• Our company is a “creditor” under the Rule and we have credit and non-credit accounts. Do we have to determine if both types of accounts are “covered accounts”?

The Guide also includes a four-step compliance process involving (1) identifying relevant Red Flags; (2) detecting Red Flags; (3) preventing and mitigating identity theft; and (4) updating the organization’s identity theft program.