Identity theft is a growing concern on a national level primarily due to the increased use of electronic transactions and online technology. Consequently, federal regulatory agencies came together to create the Identity Theft Red Flags Rule (“Red Flags Rule” or “Rule”), which requires financial institutions and creditors to develop and implement identity theft prevention procedures to identify, detect, and respond to activities that could indicate identity theft. The Rule’s definition of financial institution and creditor are purposefully broad so that they cover a wide range of entities.
Recently, the Federal Trade Commission (“FTC”) announced it was extending the original November 1, 2008 compliance deadline to May 1, 2009. The extension accommodates entities that were uncertain about whether they fell within the Rule’s definition of financial institution or creditor as well as those who learned of the Rule’s requirements too late to come into compliance.
The Red Flags Rule applies to all financial institutions and creditors that have covered accounts. Since many of these entities continually offer new products, a determination of whether a company has a covered account is an ongoing process.
The Rule defines a financial institution as a bank or other organization that holds customers’ funds and permits accountholders to make payments or transfers to third parties, such as checking accounts and savings accounts that allow automatic transfers.
A creditor is defined by the Rule as any entity that regularly extends credit, which includes finance companies, casinos, automobile dealers, mortgage brokers, utility companies, and telecommunications companies.
Under the Red Flags Rule, a covered account is an account primarily for personal, family, or household purposes that permits multiple payments or transactions. Common examples are credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. The term covered accounts also includes any other account that is vulnerable to identity theft, such as small business accounts.
The Red Flags Rule covers a broad range of the firm’s clients; therefore, immediate measures should be taken to help them meet the extended May 1, 2009, deadline. The first step toward compliance is a comprehensive review of each client’s existing fraud prevention policies to determine if they can be tailored to meet the Rule’s provisions. Also, assistance should be provided for the development and implementation of training programs as well as the investigation and response to identity theft incidents.
We hope this information has been helpful. Please contact any member of Baker Hostetler’s Intellectual Property Team for additional information.
Baker & Hostetler LLP publications are intended to inform our clients and other friends of the Firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel. The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you written information about our qualifications and experience. [Florida Rule 4-7.2(d)] © 2008 Baker & Hostetler LLP