Update: On May 28, 2010, at the request of several Members of Congress, the Federal Trade Commission announced it is further delaying enforcement of the “Red Flags” Rule through December 31, 2010, while Congress considers legislation that would affect the scope of entities covered by the Rule. If Congress passes legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010, the FTC indicated that it will begin enforcement as of that effective date.
--------------------------------------------------------------------------------
The Identity Theft Red Flags Rule (the “Rule”), 16 C.F.R. Part 681.2, was developed by the Federal Trade Commission pursuant to the Fair and Accurate Credit Transactions Act of 2003. Under the Rule, financial institutions and creditors with covered accounts must have identity theft prevention programs to identify, detect and respond to patterns, practices or specific activities that could indicate identity theft.
While many associations meet the Rule’s definition of a “creditor” because they accept payments over time for good/services provided, such as membership dues, publications, events, etc., many of these associations will not meet the Rule's second prong for coverage, which is having a “covered account.”
An account is “covered” under the Rule if it is for personal/household use. If not, the account can still be “covered” if there is a reasonably foreseeable risk of identity theft to either the account holder or the association, based on past experience in the opening, accessing or transactional use associated with the account.
Therefore, it is crucial to first conduct a risk assessment to see whether or not the association’s risk of identity theft regarding customer accounts (including those of both members and non-members, whether corporate or individual) is reasonably foreseeable; if not, then the association does not have “covered accounts” and is not within the scope of the Rule. In that case, the association should keep a copy of this written risk assessment on file, and update the risk assessment at least annually, as evidence of Rule non-coverage.
If, on the other hand, the risk assessment indicates a reasonably foreseeable risk of ID theft and hence Rule coverage, then the association's Identity Theft Prevention/Red Flag Program must also include a written Policy and Procedures. The following risk assessment tools are one possible way to weigh some of the various facts that might go into such an assessment. But each association must consider its own facts and experiences in dealing with customer account information, to arrive at its own particular assessment of the ID theft risks.
Finally, it is important to remember that there are numerous other laws and regulations, at both the federal and state levels, that may cover associations' privacy and information security practices, depending on the type of information obtained, used, sold/transferred, and retained and/or disposed. Associations, therefore, must consult legal counsel to determine their specific coverage and compliance issues with regard to privacy and information security practices.
* * * * * *
RISK ASSESSMENT
Number of Customers, during the period from 1/1/XX to date: ______________
Number of Customer Transactions, from 1/1/XX to date: __________________
[Appropriate time frame for risk assessment: past 3-5 years preferable, past 2 years minimum. Customers includes both members and non-members, whether corporate or individual]
Risk Assessment Key
O=Open
A=Access (view balance; change personal information; change payment method)
T=Can conduct transactions (make a payment; transfer funds; obtain products)
“Experience” indicates whether association has had previous experiences with identity theft with respect to each specific type of account.
Risk ratings* are “High” (H), “Moderate” (M), and “Low” (L).
*Explanation for risk ratings: Risk ratings are based on the association’s size in terms of customers and annual transactions, the number of individuals authorized to access each customer's account, and the association's existing policies and procedures (such as Internet security, account oversight, account agreements, etc.). The risk also depends on the types of products/services normally sold to each customer, the accessibility of the customer account, the association’s experience with identity theft, and how susceptible the offered products and services are to fraudulent activity.
Our next posting will be the second half of this article ASSESSMENT OF ASSOCIATION’S ACCOUNTS/SERVICES, METHODS FOR OPENING ACCOUNTS, METHODS FOR ACCESSING ACCOUNTS