• Red Flag Rule: Moving Toward Identity Theft Programs
  • May 16, 2008
  • Law Firm: Troutman Sanders LLP - Atlanta Office
  • Are you looking for a reason to get some face time with the Board of Directors? Several federal agencies recently handed out a golden opportunity to do just that in the form of the “Red Flag” Identity Theft Rule that became effective on January 1, 2008 and will demand Board approval by November 1, 2008.

    The Red Flag Rule, issued jointly by several federal agencies with regulatory authority over the financial industry (Treasury, the Fed, FDIC, the FTC, and the National Credit Union Administration), effectuates Section 114 of the “FACT Act,” which amended Section 615 of FCRA.  Affected businesses, such as credit grantors, must create a written Identity Theft Program that is designed to detect, prevent, and mitigate identity theft that may affect “covered accounts.”  The Program must identify and incorporate relevant patterns, practices, and specific activities that are a “Red Flag” signaling possible identity theft.  In addition, the Program must be designed to enable a business to detect Red Flag occurrences and to respond appropriately when those Red Flags are triggered. 

    The federal agency consortium also issued “Interagency Guidelines on Identity Theft Detection, Prevention and Mitigation.” These guidelines are designed to help affected businesses create a Red Flag Program. While the Red Flag Rule requires the official guidelines to be considered, only Red Flags relevant to a particular business or industry must be incorporated, not every Red Flag described by the guidelines.  A business is instructed to use its unique experiences with identity theft to further tailor the Program to specific issues and needs.

    Once created, the Program must be adopted by the Board of Directors or an appropriate committee of the Board.  Once approved, the Board or a committee appointed by the Board or a designated senior employee is required to continually oversee the development, implementation, and administration of the Program.  The Rule also requires affected businesses to train staff to implement and comply with the Program, and businesses must oversee the actions of any service provider who performs designated activities on behalf of the business to ensure their compliance too.  The Rule further requires the Program to be updated periodically to ensure that the newest risks and tricks in the identity theft field are recognized and incorporated into the existing Program.

    The new Rule also specifically instructs debit and credit card issuers to establish procedures to asses the validity of a cardholder’s change of address request when a new card is requested within 30 days of an address change.  The card issuer may not issue a new card without first taking certain verification steps. 

    The FTC may impose fines for violations of the new rules, so you want to be sure that your face time with the Board is spent spelling out the company’s new written Identity Theft Program, not explaining why the FTC has fined the company for a failure to comply with the new Red Flag Rule.