• "Red Flag" Rules May Snare Unsuspecting Businesses
  • September 24, 2008
  • Law Firm: Duane Morris LLP - Philadelphia Office
  • The OCC, FDIC, Federal Reserve, FTC and other federal regulators recently issued a series of rules and guidelines to counter identity theft. These new "red flag" rules and guidelines are not just applicable to financial institutions and traditional creditors. Every business that maintains "covered accounts" must comply with the red flag rules by November 1, 2008.

    The definition of "covered account" is broad and includes all consumer accounts that permit multiple payments or transactions, and any other account posing a reasonably foreseeable risk to a consumer or business from identity theft. In addition to traditional credit extended by financial institutions, the definition also includes all types of trade credit and other payment terms extended by merchants to customers, such as cell phone accounts, utility accounts and used car loans. The rules also suggest that small business or sole proprietorship accounts may also be included in the definition.

    Businesses that maintain "covered accounts" must develop and implement programs designed to detect, prevent and mitigate identity theft and particularly focus on "red flags" that should raise suspicion. Failure to comply may result in civil liability to consumers for actual damages, nominal damages when actual damages cannot be proved, punitive damages and attorney's fees, as well as administrative enforcement by the FTC or other relevant regulator.