A Yellow Flag for the Red Flags Rule

This is the 24th in a series of brief articles that Moye White is sending to its clients and friends to provide practical insight about the opportunities and challenges presented by today's economy.

The Federal Trade Commission promulgated the “Red Flags Rule” to combat the growing problem of identity theft. The Rule requires certain companies to develop and implement procedures to help identify and report suspicious activity that may indicate identity theft. While combating identity theft is a laudable goal, the broad scope of the Rule has raised concerns among many businesses. The Rule applies only to certain types of parties, however the terms used are so broadly defined that they draw within the Rule’s coverage businesses from every sector of the economy. As a result of strong business push-back, the FTC has delayed enforcement of the Rule a third time. The Rule is now slated to take effect November 1, 2009.

The Red Flags Rule applies to “financial institutions” and “creditors” that maintain “covered accounts.” Under the Rule, “financial institutions” include any bank, savings and loan association, mutual savings bank, credit union or other person that holds a transaction account belonging to a customer. “Creditors”, however, are broadly defined to include (i) any business or organization that regularly defers payment for goods or services or provides goods or services and bills customers later, and (ii) any company that regularly grants loans, arranges for loans or the extension of credit, or makes credit decisions. As written, “creditors” may include utility companies, health care providers, lawyers, accountants, finance companies, mortgage brokers, real estate agents, car dealers, and retailers that provide customer financing. “Creditors” may also include government agencies and non-profit organizations.

There are two types of “covered accounts” under the Rule. The first is any consumer account for personal, family, or household purposes that permits multiple payments or transactions, such as credit card accounts, mortgage loans, car loans, phone accounts, utility accounts or bank accounts. The second is any other account for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor resulting from identity theft.

If your company is a “financial institution” or “creditor” that maintains “covered accounts” as defined under the Red Flags Rule, you must comply with the Rule by November 1. The FTC has identified four steps to satisfy the Red Flags Rule:

  1. Identify Relevant Red Flags. The FTC suggests that you consider red flags of potential identity theft such as (a) alerts, notifications and warnings from a credit reporting company; (b) suspicious documents that look altered or forged, or contain inconsistent information; (c) suspicious personal identifying information that may be inconsistent or contain an invalid social security number; (d) suspicious account activity such as major changes in account patterns, failure to make the first payment on a new account, or the reactivation of an account that was previously inactive; and (e) notices from other sources such as customers, law enforcement, victims of identity theft or others.
  2. Detect Red Flags. Develop procedures to identify red flags in new and existing accounts. This may include asking customers for information to verify their identity and checking the information against databases such as the Social Security Number Death Master File.
  3. Prevent and Mitigate Identity Theft. Develop procedures for a response to identity theft. For example, your procedures could include steps such as contacting the customer, changing passwords on suspicious accounts, opening new accounts, or notifying law enforcement.
  4. Update Your Program. Your company should periodically review its existing procedures and consider whether they are effective, or whether new procedures should be adopted to help combat identity theft. At least annually, your board of directors should review these procedures and the effectiveness of your program.

The Red Flags Rule does not define exactly what procedures are necessary, allowing you to develop a plan that is appropriate for your company. There is no private right of action under the Red Flags Rule, so your customers cannot sue you for non-compliance; however, the FTC does have jurisdiction to investigate and bring enforcement actions. Non-complying companies face fines of up to $3,500 per violation.

Because of potential broad applicability of the proposed Red Flags Rule, a number of industry groups such as the American Bar Association and American Medical Association have lobbied to limit its application. With a reprieve from compliance granted until November 1, 2009, companies that may be subject to the Red Flags Rule should begin taking steps now to develop internal policies and procedures, as there is no guarantee a fourth extension will be granted.

For more information contact: Jackie Benson, Charles Luce, or Ted White, Chair, Transaction Section at (303) 292-2900.

If you prefer not to receive any unsolicited e-mails regarding Moye White information, please contact us at

Moye White LLP has prepared this bulletin to provide general information; however this bulletin does not provide legal advice and does not create an attorney-client relationship between the reader and Moye White. No legal or business decision should be based solely on the content of this bulletin.