Our latest posting is below.
For your next commercial real estate transaction, house purchase, mortgage refinance, reverse mortgage, or home equity loan, contact us. We can help. Located in Fairfield, NJ, we are the title insurance agent that does it all for you.
For your next title order or
if you have questions about what you see here, contact
Stephen M. Flatow, Esq.
Vested Land Services LLC
165 Passaic Avenue, Suite 101
Fairfield, NJ 07004
Tel 973-808-6130 - Fax 973-227-0645
E-mail sflatow AT vested.com
In-House Counsel
Red Flags Rule and Identity Theft Protection Compliance
Tyler W. Mullen, The Legal Intelligencer
Have you ever been many miles from home, perhaps on vacation, when suddenly your bank notifies you that your credit card account has been frozen? Such occurrences always seem to happen at the most inopportune moments. However, the credit card freeze may simply be the bank's attempt to comply with the so-called "Red Flags Rule."
In our ever-evolving technological landscape, consumer information may be more vulnerable now than ever before. Instances of identity theft—using another's personal data fraudulently or deceptively, usually for financial gain—occur at an alarming rate. In 2014 alone, an estimated 17.6 million U.S. residents experienced some form of identity theft, according to the Bureau of Justice Statistics. In an effort to curb the identity theft epidemic, various federal regulators administer the Red Flags Rule, requiring certain financial institutions and creditors to take extra care in protecting consumer financial information. Although general counsel of banks, savings and loan associations, and credit unions clearly should take note, the rule is very broad, and less obvious entities may also need to comply with the rule.
What is the Red Flags Rule?
The Red Flags Rule, originally born under the Fair and Accurate Credit Transactions Act and implemented by the Federal Trade Commission, is a regulation designed to combat consumer identity theft. Although first implemented only by the FTC, Dodd-Frank expanded the number of agencies responsible for enforcing the rule. Now, many agencies including the FTC, U.S. Securities and Exchange Commission, U.S. Commodity Futures Trading Commission (CFTC) and Federal Deposit Insurance Corp. (FDIC) each enforce substantially similar versions of the rule within their respective regulatory spheres.The rule requires covered persons and entities to implement written identity theft prevention programs designed to detect, prevent and mitigate identity theft by monitoring "red flags." Red flags are patterns, practices, or specific activities indicating the possible existence of identity theft. Some examples of common red flag categories include unusual account activity, inconsistencies in personal information, or alerts from credit reporting, according to the FTC's "Fighting Identity Theft With the Red Flags Rule: A How-To Guide for Business."
Which Entities must Comply?
Financial institutions and creditors offering or maintaining covered accounts are subject to the Red Flags Rule. Therefore, the first step in determining whether the rule applies involves identifying whether an entity constitutes a "financial institution" or "creditor." The second step is to decide whether such financial institutions or creditors offer or maintain "covered accounts."• Financial institutions or creditors.
Financial institutions include banks, savings and loan associations, mutual savings banks, credit unions, and other person or entities holding consumer transaction accounts. A transaction account is an account from which owners may make multiple payments to third parties. Furthermore, under the SEC's version of the rule, financial institutions includes certain brokers, dealers, investment companies and investment advisers.
The definition of creditor is relatively less clear and likely more inclusive. Creditors are determined by conduct under the rule, not class. Creditors include any entity or person that, regularly and in the ordinary course of business, extends or arranges for credit and (1) obtains or uses consumer reports in connection with a credit transaction, (2) furnishes information to consumer reporting agencies, (3) advances funds to or on behalf of a person based on a repayment obligation, or (4) offers or maintains credit accounts subject to reasonably foreseeable identity theft vulnerabilities.
Thus, the definition of creditor is extremely broad and covers a wide spectrum of businesses, from banks and finance companies to automotive dealers and utility companies. The definition does, however, expressly omit those who advance funds for expenses incidental to services provided by the creditor, which shelters many professionals who allow delayed payment for services. However, determining whether an entity or person constitutes a creditor is ultimately a fact-specific inquiry with no bright-line rule.
• Covered accounts.
Finally, as mentioned above, only financial institutions or creditors offering or maintaining covered accounts are subject to the rule. Covered accounts include both (1) consumer accounts used for personal, family, or household purposes involving multiple payment transactions, or (2) any account entailing a reasonably foreseeable risk of identity theft, or risk to the safety and soundness of the financial institution. Credit card accounts, mortgage and automobile loans, and checking and savings accounts fall into the first category; they are all consumer accounts from which multiple payment transactions can be initiated.
The second covered accounts category is the catch-all. Individual risk assessments should be performed to determine whether accounts involve reasonably foreseeable identity theft risks. Common factors to consider include how the account is opened or accessed. For example, accounts that may be accessed remotely are typically higher risk than accounts requiring the physical presence of the account holder.
Penalties for Noncompliance
Beyond exposing consumers to the ever-increasing threat of identity theft, failure to comply with the Red Flags Rule can prove costly for businesses. The FTC may seek monetary penalties of up to $2,500 per knowing violation of the rule, or injunctive relief requiring the entity to comply with the rule. Penalties are assessed based on the degree of culpability involved, history of prior conduct, ability to pay, the effect on the business's ability to continue, and other factors as justice requires. Additionally, as many general counsel know, disputes with federal regulators typically involve hefty legal expenditures and opportunity costs.How do Covered Entities Comply?
So, how can covered entities protect their customers from identity theft while also protecting themselves from administrative enforcement? Simple: Covered entities must implement a written identity theft prevention program consistent with the Red Flags Rule. The rigor and comprehensiveness of a particular entity's program can be commensurate with the level of risk posed to consumers. However, each program should include four basic elements.First, programs must identify relevant red flags, which may vary depending on the nature of the business and type of account. For instance, a common red flag indicating stolen account information involves purchases in locations not typically associated with the account. The rule gives some guidance on categories of common red flags, which include alerts from credit reporting companies, suspicious documents, inconsistent personal identifying information, unusual account activity, and notices from law enforcement or customers.
Second, programs must be designed to detect relevant red flags. Perhaps the most common method of detecting red flags involves personal identity verification procedures. You may have applied for a credit card recently, only to spend what seemed like an eternity answering detailed questions about your past addresses or employers. Such procedures—though mildly annoying—are designed to protect consumer information. Other methods, such as password encryption, PIN number usage, and restricting the ability to open accounts from telephones outside an applicant's home, may also be employed.
Third, programs must dynamically respond to red flags to prevent or mitigate identity theft. Freezing the account, contacting the account holder to verify account activity, or simply monitoring the account for a specified period of time may be appropriate. However, even measures as drastic as notifying law enforcement may be necessary.
Finally, programs must include procedures for periodic reassessments and updates as necessary. Identity theft techniques will evolve as technology develops and criminals become more tech-savvy. Means of preventing identity theft will also undoubtedly evolve. Each program should be revisited periodically in order to stay abreast of any relevant developments.
Such identity theft prevention programs must be approved by a company's board of directors, or other senior management if no board exists. Programs should also outline applicable staff training procedures, teaching the appropriate people to implement the programs and identify red flags. Periodic oversight by either the board or senior management is also highly advised.
In light of recent technological advancements and the need for protecting sensitive consumer information, identity theft compliance, as governed by the Red Flags Rule, is an important consideration for general counsel. •
Sphere: Related Content
Posts
No comments:
Post a Comment