The OCC, FDIC, Federal Reserve, FTC and other federal regulators recently issued a series of rules and guidelines to counter identity theft. New "red flag" rules and guidelines require financial institutions and creditors to formulate and implement identity theft prevention programs. Additional rules apply specifically to credit and debit card issuers and to certain users of consumer reports.
Red Flag Rules and Guidelines
Virtually every financial institution and creditor that maintains consumer accounts must comply with the red flag rules. These businesses must develop and implement a program designed to detect, prevent and mitigate identity theft and particularly focus on "red flags" that should raise suspicion. Each program must be tailored to the specific financial institution's or creditor's size, complexity and nature of operations, which provides flexibility for smaller businesses.
All creditors and financial institutions that maintain covered accounts must comply with the red flag rules. The definition of "covered account" is extremely broad and includes all consumer accounts that permit multiple payments or transactions, and any other account posing a reasonably foreseeable risk to a consumer or business from identity theft. Examples include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts and savings accounts. The rules also suggest that small business or sole proprietorship accounts may also be included.
Covered businesses must also comply with respect to the information of prospective customers.
Card Issuer Rules
The card issuer rules apply to an issuer of debit or credit cards and address the incidence of requests for a change of address followed by requests for additional or replacement cards, a common technique in identity theft. The card issuer must implement reasonable policies and procedures to assess the validity of an address change, when followed within 30 days by a request for an additional or replacement card for the same account. Under such circumstances, a card issuer cannot issue an additional or replacement card until it complies with certain notice and other procedural requirements.
Address Discrepancy Rules
The address discrepancy rules require certain users of consumer reports to develop and implement procedures designed to double-check the match between a consumer and his or her credit report where an address discrepancy arises. The user must then also furnish any corrected address information to the consumer reporting agency.
Compliance
Covered businesses must comply with these regulations by November 1, 2008. [UPDATE: The FTC pushed back the compliance date for "red flag" rules to May 1, 2009. Additional rules that were published at the same time that apply specifically to credit and debit card issuers and to certain users of consumer reports still require compliance by November 1, 2008.]
The regulations implement Sections 114 and 115 of the Fair and Accurate Credit Transactions Act of 2003, which amended the Fair Credit Reporting Act. Failure to comply may result in civil liability to consumers for actual damages, nominal damages when actual damages cannot be proved, punitive damages and attorney's fees, as well as administrative enforcement by the FTC or other relevant regulator.
For Further Information
If you have any questions regarding these regulations, including how they may affect your company, please contact a member of the Information Technologies and Telecom Practice Group or the lawyer in the firm with whom you are regularly in contact.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.