The Red Flags Rule: Does This Apply to Governmental Entities?

Written by Jenny Gray, CPA

Millions of Americans have their identities stolen each year. In addition to the impact on individuals, the cost to entities – left with unpaid bills racked up by scam artists – can be staggering, too. In response to the growing cases of identity theft, effective as of January 1, 2008, the Federal Trade Commission implemented the “Red Flags Rule”.  The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs – or “red flags” – of identity theft in their day-to-day operations, take steps to prevent the crime, and mitigate the damage caused by identify theft.  By identifying red flags in advance, entities are better equipped to identify suspicious patterns when they arise and take steps to prevent a red flag from escalating into a case of identity theft. The Red Flags Rule is enforced by the Federal Trade Commission (FTC), the federal bank regulatory agencies, and the National Credit Union Administration.

The Red Flags Rule sets out how certain businesses and organizations must develop, implement, and administer their Identity Theft Prevention Programs. The Program must include four basic elements, which together create a framework to address the threat of identity theft.

• The Program must include reasonable policies and procedures to identify the “red flags” of identity theft in the day-to-day operations. Red flags are suspicious patterns or practices, or specific activities that indicate the possibility of identity theft. For example, if a customer has to provide some form of identification to open an account, an ID that looks like it might be fake would be a “red flag”.
• The Program must be designed to detect the red flags identified. For example, if fake a ID is identified as a red flag, there must be procedures in place to detect possible fake, forged, or altered identification.
• The Program must spell out appropriate actions that will be taken when red flags are detected.
• Because identity theft is an ever-changing threat, management and those charged with governance must address how they will re-evaluate the Program periodically to reflect new risks from this crime.

The Rule sets out the basic elements of Identity Theft Prevention Programs, but who is required to comply?  Moreover, how can governmental agencies determine whether or not they are required to comply with the Rule?

As identified by the FTC, the Red Flags Rule applies to “financial institutions” and “creditors.” The Rule requires entities to conduct a periodic risk assessment to determine if they have “covered accounts.” They need to implement a written program only if they have covered accounts. It’s important to look closely at how the Rule defines “financial institution” and “creditor” because the terms apply to groups that might not typically use those words to describe themselves. For example, many non-profit groups and government agencies are “creditors” under the Rule. The determination of whether a business or organization is covered by the Red Flags Rule isn’t based on your industry or sector, but rather on whether your activities fall within the relevant definitions.

• Financial Institution – The Red Flags Rule defines a “financial institution” as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other person that, directly or indirectly, holds a transaction account belonging to a consumer. Banks, federally chartered credit unions, and savings and loan associations come under the jurisdiction of the federal bank regulatory agencies and/or the National Credit Union Administration. Check with those agencies for guidance tailored to those businesses. The remaining financial institutions come under the jurisdiction of the FTC.  Examples of financial institutions under the FTC’s jurisdiction are state-chartered credit unions, mutual funds that offer accounts with check-writing privileges, or other institutions that offer accounts where the consumer can make payments or transfers to third parties.
• Creditor – The definition of “creditor” is broad and includes businesses or organizations that regularly defer payment for goods or services or provide goods or services and bill customers later. Utility companies, health care providers, and telecommunications companies are among the entities that may fall within this definition, depending on how and when they collect payment for their services. The Rule also defines a “creditor” as one who regularly grants loans, arranges for loans or the extension of credit, or makes credit decisions. Examples include finance companies, mortgage brokers, real estate agents, automobile dealers, and retailers that offer financing or help consumers get financing from others, say, by processing credit applications. In addition, the definition includes anyone who regularly participates in the decision to extend, renew, or continue credit, including setting the terms of credit – for example, a third-party debt collector who regularly renegotiates the terms of a debt. If you regularly extend credit to other businesses, you also are covered under this definition.

Based on information provided by the FTC with respect to who is required to comply, governmental agencies are not exempt solely based on industry.  Government agencies typically do not qualify as financial institutions.  As a result, most government agencies need only to determine whether or not they are considered to be a creditor as defined by the FTC.  If the government agency defers payment for goods and services and bills customers later, then the government agency may fall within the definition of a creditor, depending on how and when they collect payment for services.  Once the government agency determines whether or not it meets the definition of a creditor, then it must consider whether or not it has covered accounts.  Two categories of accounts are covered:

• The first kind is a consumer account offered to customers which is primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions. Examples are credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts.
• The second kind of “covered account” is “any other account that a financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.” Examples include small business accounts, sole proprietorship accounts, or single transaction consumer accounts that may be vulnerable to identity theft. Unlike consumer accounts designed to permit multiple payments or transactions – they are always “covered accounts” under the Rule – other types of accounts are “covered accounts” only if the risk of identity theft is reasonably foreseeable. In determining if accounts are covered under the second category, consider how they are opened and accessed. For example, there may be a reasonably foreseeable risk of identity theft in connection with business accounts that can be accessed remotely – such as through the Internet or by telephone. The government agency risk analysis must consider any actual incidents of identity theft involving accounts like these.

If a governmental agency does not have any covered accounts, then it is not required to have a written Identity Theft Protection Program.  The governmental agency is still required to conduct a periodic risk assessment to determine if it has acquired any covered accounts through changes to structure, processes, or the entity.

If a governmental agency determines that it is a creditor with covered accounts, the governmental agency must develop and implement a written Identity Theft Prevention Program. The Program must be designed to prevent, detect, and mitigate identity theft in connection with the opening of new accounts and the operation of existing ones. The Program must be appropriate to the size and complexity of the governmental agency and the nature and scope of its activities. A governmental agency with a higher risk of identity theft or a variety of covered accounts may need a more comprehensive Program.

If a governmental agency determines that it is required to comply with the Red Flags rule, the following is a four step process that can be used to develop and implement a written Identity Theft Prevention Program.

Identify relevant red flags

1. Identify the red flags of identity theft likely to affect the government agency.
2. Identify risk factors.
3. Identify sources of Red Flags.
4. Consider categories of Common Red Flags:
   • Alerts, Notifications, and Warnings from a Credit Reporting Company
   • Suspicious Documents
   • Suspicious Personal Identifying Information
   • Suspicious Account Activity
   • Notice from Other Sources

Detect red flags

Set up procedures to detect those red flags in day-to-day operations.

1. Consider new accounts.
2. Consider existing accounts

Prevent and mitigate identity theft

If the government agency spots the red flags identified, it should respond appropriately to prevent and mitigate the harm done.  Some common responses include:

• Monitoring a covered account for evidence of identity theft
• Contacting the customer
• Changing passwords, security codes, or other ways to access a covered account
• Closing an existing account
• Reopening an account with a new account number
• Not opening a new account
• Not trying to collect on an account or not selling an account to a debt collector
• Notifying law enforcement
• Determining that no response is warranted under the particular circumstances

Update the Program

The risks of identity theft can change rapidly, so it’s important to keep the Program current and educate pertinent staff. Factor in changes in how identity thieves operate; new methods to detect, prevent, and mitigate identity theft; changes in the accounts offered; and changes in the entity, such as mergers, acquisitions, alliances, joint ventures, and arrangements with service providers.

The initial written Program must get the approval of those charged with governance. Those charged with governance may oversee, develop, implement, and administer the Program or may designate a member of management to do the job. Responsibilities include assigning specific responsibility for the Program’s implementation, reviewing staff reports about how the governmental agency is complying with the Rule, and approving important changes to the Program. The Rule requires that government agencies train relevant staff only as “necessary” – for example, staff that has received anti-fraud prevention training may not need to be re-trained. Employees at many levels can play a key role in identity theft deterrence and detection. The person responsible for monitoring the Program should report at least annually to those charged with governance. The report should evaluate how effective the Program has been in addressing the risk of identity theft; how the government agency is monitoring the practices of service providers; significant incidents of identity theft and response; and recommendations for major changes to the Program.