Enforcement of Red Flags Rule by FTC Postponed

By
August 6, 2009

On July 29, 2009, the Federal Trade Commission announced that it was postponing until November 1, 2009 its enforcement of the โ€œRed Flags Ruleโ€ (the โ€œRuleโ€), which may be found at 16 C.F.R. 681. Originally, enforcement of the Rule was scheduled to begin on August 1, 2009. Under the Rule, certain businesses and organizations are required to spot and act on certain activities or โ€œred flagsโ€ that are often indicators of identity theft. To comply with the Rule, these businesses and organizations will need to develop and adopt a written โ€œred flags programโ€ to identify and detect โ€œred flagsโ€ and ensure that the program is kept up to date in order to minimize damage from identity theft.
Review Definitions Carefully as Many Businesses Are Likely Covered
The Rule was discussed in detail in a Ruder Ware Legal Update dated July 27, 2009. Our discussions to date with a number of clients regarding the Rule indicate that there may be a false sense of security that the Rule applies only to financial institutions and/or only to those businesses that deal directly with consumers. We believe that a proper interpretation of the Rule indicates that it certainly applies to financial institutions and to those businesses that deal directly with consumers but that it also applies to all โ€œcreditorsโ€ having โ€œcovered accounts.โ€
The Rule defines a โ€œcreditorโ€ as a business or organization that regularly:

Extends, renews, or continues credit;
Arranges for someone else to extend, renew, or continue credit; or
Is the assignee of a creditor who is involved in the decision to extend, renew, or continue credit.

Any business or organization that allows payment for goods and services to be made after a purchaser (whether the purchaser is a consumer or a business entity) receives the goods or services is a โ€œcreditorโ€ under the Rule. We believe that most businesses will be a โ€œcreditorโ€ for the purposes of the Rule.
The Rule also defines a โ€œcovered accountโ€ as:

An account used mostly for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions and establishes a continuing relationship with the financial institution or creditor. An account used mostly for personal, family, or household purposes will generally have account holders that are individuals. This type of account includes accounts such as credit card accounts, mortgage loans, car loans, consumer leases, margin accounts, cell phone accounts, utility accounts, certificates of deposit, retirement or IRA accounts, trust accounts, or checking or savings accounts.
An account for which there is a foreseeable risk of identity theft, such as a small business or sole proprietorship account, or where the safety and soundness of the financial institution or creditor, including financial, operations, compliance, reputation, or litigation risks, indicate that there is a foreseeable risk of identity theft. This type of account may include accounts where instances of identity theft have occurred in similar accounts (which indicates that there is a foreseeable risk of identity theft) or where the information presented by an account holder is similar to that presented by an individual (such as where a small business or sole proprietorship presents the ownerโ€™s information as the information for the business).

If a business or organization is a โ€œcreditor,โ€ but does not have any โ€œcovered accounts,โ€ the business or organization does not need a red flags program. However, if a business or organization is a โ€œcreditorโ€ and has โ€œcovered accounts,โ€ the business or organization must develop and implement a written program to identify and address the red flags that could indicate identity theft.
Many businesses which sell goods or services only to other businesses may not satisfy the requirements of subsection 1. of the definition of โ€œcovered accountโ€. However, subsection 2. of the definition of โ€œcovered accountโ€ will be satisfied if there is a โ€œforeseeable risk of identity theftโ€. This language is quite broad and at this time is undefined through regulatory interpretation or case law. However, we believe that an expansive interpretation of the Rule is appropriate and that most businesses should act as if they will be subject to the Rule.
Identity theft is most often thought of as involving the misappropriation or misuse of โ€œpersonally identifiable informationโ€. The term โ€œpersonally identifiable informationโ€ has been defined in an Office of Management and Budget (โ€œOMBโ€) Memorandum from 2007 as โ€œinformation which can be used to distinguish or trace an individualโ€™s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, motherโ€™s maiden name, etc.โ€ This definition has been referenced in recent reports which have been prepared by the National Institute of Standards and Technology (โ€œNISTโ€) and the United States Government Accountability Office (โ€œGAOโ€).
Identity theft does not only affect individuals. It also is possible that a business could be the victim of identity theft if bank account information and/or other identifying information which is unique to that business is compromised, misappropriated, or misused. Accordingly, any business which utilizes or maintains records of โ€œpersonally identifiable informationโ€ of individuals or businesses could be subject to a โ€œforeseeable risk of identity theftโ€.
For these reasons, we recommend that most businesses, if they are not otherwise specifically covered by the Rule as a โ€œfinancial institutionโ€, should anticipate that they will be subject to the Rule as a โ€œcreditorโ€ and that they will likely be found to have โ€œcovered accountsโ€ if they utilize or maintain records of โ€œpersonally identifiable informationโ€ of individuals or businesses which are subject to a โ€œforeseeable risk of identity theftโ€.
If you have questions regarding the above, please contact Derek Prestin, the author of this article, or any of the attorneys in the Business Transactions Practice Group of Ruder Ware.

Back to all News & Insights

This document provides information of a general nature regarding legislative or other legal developments, and is based on the state of the law at the time of the original publication of this article. None of the information contained herein is intended as legal advice or opinion relative to specific matters, facts, situations, or issues, and additional facts and information or future developments may affect the subjects addressed. You should not act upon the information in this document without discussing your specific situation with legal counsel.

ยฉ 2025 Ruder Ware, L.L.S.C. Accurate reproduction with acknowledgment granted. All rights reserved.