ID Theft Red Flags Rule: Are You Ready for May 1?

Deadline is Near for Enforcement of Reg for State-Chartered Credit Unions and Non-Banking Creditors
ID Theft Red Flags Rule: Are You Ready for May 1?
May 1 is nearly here. Are non-banking creditors and state-chartered credit unions ready?

This is the date when the Federal Trade Commission will finally start to enforce the Identity Theft Red Flags Rule, for which federally-regulated banks and credit unions have been tested for compliance since last Nov. 1.

Originally, all affected entities were to show compliance with the Red Flags Rule by Nov. 1, but in late October the FTC extended the deadline by six months for the roughly 11 million entities it oversees. This move was to give non-banking creditors and state-chartered credit unions additional time to develop and implement written identity theft prevention programs.

Since last fall, the FTC has promoted an extensive outreach effort to explain the rule in greater detail, speaking at many business conferences, hosting seminars and the FTC's dedicated website on ID Theft Red Flags compliance. According to Betsy Broder, Assistant Director, Division of Privacy and Identity Protection at the Federal Trade Commission, many companies that didn't think of themselves as creditors now realize they are a covered entity under this rule.

So, with the new deadline just weeks away, are these entities ready to demonstrate compliance?

"It's hard for us to assess that until we begin enforcement," Broder says. "What we're looking for is good faith efforts on their part to develop programs."

Who is Impacted?

Since stepping up its outreach, Broder says, the FTC has found a great deal of confusion on the part of the entities it oversees. "We explain the rule to them, we tell them it is a risk-based program If you are a creditor and you have covered accounts, but you've never had identity theft hit any of them, then you will have an extremely low risk and burden to provide a program that reflects that risk."

Broder says the covered entities, no matter what their size, must design and implement a written identity theft prevention program. The rule is not based on what kind of information a business collects, but whether it is a financial institution or a creditor. "A creditor is broadly described as anyone who defers payment on a debt, or anyone who defers payment on goods or services," Broder says.

Under the ID Theft Red Flags Rule a creditor is:

  • Any entity that regularly extends, renews or continues credit;
  • Any entity that regularly arranges for the extension, renewal or continuation of credit;
  • Any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit.

Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. But creditors do include:

  • Finance companies;
  • Automobile dealers;
  • Mortgage brokers;
  • Utilities;
  • Telecommunications companies.

Even healthcare providers who defer payment (provide credit) for patients also fall under the creditor status, according to the rule. Any interaction where a consumer is not paying up front would make the business a creditor. "So in the healthcare context, even where a consumer offers insurance (that would normally cover the bill), if the patient is still ultimately responsible for medical fees not covered by insurance, then that hospital or doctor's office would be considered a creditor," Broder says.

Where non-profit and government entities defer payment for goods or services, they, too, are considered creditors. Most creditors, except for those regulated by the federal bank regulatory agencies and the National Credit Union Administration (NCUA), fall under the FTC's jurisdiction.

What the FTC Expects

Broder expresses confidence that the regulation would be complied with, saying "When we designed this, we deliberately designed it as a risk-based rule, so companies (and institutions) could create a program that was relevant to the types of risks they encounter and that was relevant to their complexity, and size."

As to whether all the affected entities will be ready by May 1, Broder hesitates to say. "We understand this has been challenging for some companies, particularly those who do have higher risks, and have not been accustomed to establishing programs like this," Broder says. "There has been a learning curve on their part, and it's taken them a while to implement it."

The FTC will be looking for "reasonable efforts" at this initial point of enforcement, Broder says. She says plans are to continue to maintain the FTC's approach of outreach, support, education and to make the materials available online. "We've done dozens of talks and seminars with various business groups," she says.

Many businesses have discovered they already have many of the needed items in place for a program. "They already have certain elements of fraud detection, such as carefully checking IDs, or verifying application information through a third party source," she notes.

At a recent conference, an executive from a large creditor company told Broder, "This Red Flags rule was one of the best business exercises that his company had been through in years."

The entire program's development forced the creditor to approach this issue in a much more logical, structured way, so that it now has one document that captured all of the company's fraud detection and response programs. "It made them approach it in a more holistic fashion," Broder says. "For that reason alone, they thought it was a beneficial exercise for them to go through."

With May 1only a few weeks away, Broder pauses when asked for specific areas the FTC will focus on when enforcing the Red Flags rule.

"It is hard to say when we get to enforcement stage what areas or industries we'll be looking at," she says. "But as in past enforcement activities, high-risk entities that have taken virtually no steps to mitigate risk or build a program will be on top of the list."


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.