Identity Theft Prevention Programs: Why Your Company May Be Required To Have One

Beginning in November, many companies will be required to comply with new federal regulations aimed at curbing identity theft. The new rules not only extend to banks and credit card issuers but also embrace any company that provides products or services on a deferred-payment basis. That includes, for example, utility and cellular service providers, cable companies, telecom companies, and even retailers that make sales payable in installments.

Identity theft occurs when an individual steals another person’s name and identifying information to commit fraud. In 2007, identity theft affected approximately 8.4 million Americans and represented the most common consumer complaint received by the Federal Trade Commission (FTC).

To combat this problem, Congress enacted the Fair and Accurate Credit Transactions Act, known as FACTA. FACTA requires businesses to implement measures that will help prevent, detect, and mitigate identity theft. Recently, regulators of financial institutions and the FTC finalized a joint rule (the “Rule”) that implements FACTA’s requirements. By November 1, covered companies must comply with the Rule by implementing an identity theft prevention program.

Breadth of Coverage
As noted above, the Rule implementing FACTA’s requirements covers more than just traditional “financial institutions” like banks, thrifts, and credit unions. It also extends to businesses that make deferred-payment sales as well as non-bank “creditors” such as finance companies, card issuers, and other lenders. 

• Whether a business is covered by the Rule hinges on whether it maintains “covered accounts,”  which are defined as:
  
  accounts designed primarily for personal, family, or household purposes that involve or permit multiple payments or transactions; or
• any other account for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft.

This two-prong definition means that the Rule’s requirements extend not only to accounts held by consumer clients but also to accounts held by business clients that are subject to a reasonably foreseeable risk of identity theft.  Although identity theft has primarily impacted consumers, the government agencies that crafted the Rule also determined that small businesses merit protection under the Rule.  Consequently, even financial institutions and creditors that have no consumer accounts will need to assess whether any business accounts are subject to a “reasonably foreseeable risk” of identity theft.  If so, the company will need to implement an identity theft prevention program for those accounts.

Elements of an Identity Theft Prevention Program
The purpose of an identity theft prevention program is to “detect, prevent and mitigate” identity theft.  To this end, the Rule includes four major requirements.

• Programs must be tailored to the potential risks.  Under the Rule, institutions and creditors enjoy significant flexibility in fashioning identity theft prevention programs.  First, the Rule requires each institution and creditor to assess whether a program is necessary to protect any covered accounts.  If the institution or creditor determines that a program is necessary, it must establish a written program tailored to the particular risks facing both new and existing accounts.  In developing the program, the institution or creditor may take into account the type, size and complexity of the business, the nature and scope of its activities, the methods the business allows to open and access accounts, and the business’s previous experiences with identity theft.  If the institution or creditor initially determines that a program is not necessary, it still must periodically reassess whether it maintains any covered accounts and whether any new circumstances indicate that a program may be required.
• Programs must be designed to identify and detect “red flags.”  Under the Rule, a covered creditor or institution must attempt to identify and detect “red flags.”  A red flag is “a pattern, practice, or specific activity that indicates the possible existence of identity theft.”  Examples of red flags include alerts, notifications, or other warnings received from consumer reporting agencies or fraud detection services; suspicious documents or personal identifying information presented to the institution or creditor; and any notice received from customers, trade associations, or law enforcement authorities regarding possible identity theft in connection with covered accounts.  The Rule references extensive guidelines that must be considered when developing an identity theft prevention program.
• Programs must respond appropriately to red flags.  The Rule requires companies to attempt to detect red flags and to respond appropriately when they are detected.  Procedures to detect red flags may include customer authentication, verification of address changes and of new customers’ identities, and procedures for detecting suspicious transactions.  When red flags are detected, the program also should provide for appropriate responses, which may include contacting affected customers, monitoring or closing affected accounts, and notifying law enforcement.
• Programs must be appropriately administered and periodically updated.  When implementing an identity theft prevention program, the institution or creditor must obtain approval of the initial written program by the company’s board of directors or a committee of the board.  Subsequent evaluations of or changes to the program may be handled by the board, a board committee, or senior management.  Covered institutions must periodically review and update their programs to address new risks and changed circumstances.  They also must ensure oversight of the program and provide appropriate staff training. 

Other Program Requirements
The Rule includes other significant requirements for implementation of an identity theft prevention plan, such as:

• Oversight of third-party service providers.  Covered institutions and creditors are required to monitor third-party service providers who have been granted access to customer information.  In turn, third-party service providers also are required to comply with the Rule’s requirements, either through a prevention program of their own or through the program of the institution or creditor that employs their services.
• Card issuers must verify certain change of address requests.  When a customer requests a replacement card within 30 days after a change of address to an account, the card issuer must notify the cardholder of the request or otherwise assess the validity of the address change.

Additional Rules Affecting Users of Consumer Reports
FACTA creates new requirements for users of consumer reports designed to prevent misuse of a consumer credit histories.  Whenever an address provided by a user of a consumer report substantially differs from the address the credit reporting agency has on file, the credit reporting agency must notify the user of the discrepancy. 

Prior to using a consumer report, FACTA requires users who receive notice of an address discrepancy to form a “reasonable belief” that the individual who furnished the conflicting address information is in fact the individual to whom the report applies.  FACTA provides the report user with several examples of policies and procedures that may be used to form a “reasonable belief.”  In the absence of a reasonable belief, users should not rely on the report information.