Insight Center: Publications

New Identity Theft Program Requirements for Most ‘Creditors’ and ‘Financial Institutions:’ One More Extension Granted

Canadian Update

Authors: Gregory J. Nowak and Matthew R. Silver


After several delays, the Federal Trade Commission (FTC) intends to start enforcing the new Identity Theft Red Flags Rule on June 1, 2010.1 Financial entities such as banks that are subject to regulation by U.S. regulators other than the FTC are already subject to the Red Flags Rule.

Those caught within the reach of the Red Flags Rule, "financial institutions" and "creditors" that are subject to oversight by an appropriate U.S. regulator (such as the FTC), will be required to have a written identity theft program (Program) in place.2

Who Is Required to Have an Identity Theft Program in Place?

Step One: Are you a defined ‘financial institution’ or ‘creditor?’

A financial institution such as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a "transaction account" belonging to a consumer is subject to the Red Flags Rule. A transaction account is a deposit account or other account from which the owner makes payments or transfers, including checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.

Under the Red Flags Rule, a "creditor" is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit.3 The definition of a creditor is broad and includes businesses or organizations that regularly defer payment for goods or services or provide goods or services and bill customers later.4 For example, a professional service provider that allows a client to pay a bill in installments would be a creditor under the Red Flags Rule. In cases in which non-profit and government entities defer payment for goods or services, they, too, are to be considered creditors.

Step Two: If you are a ‘financial institution’ or a ‘creditor,’ do you maintain ‘covered accounts?’

A covered account is (1) an account primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, or (2) any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft.

"Any other account for which there is a reasonably foreseeable risk" includes small business accounts, sole proprietorship accounts, or single transaction consumer accounts that may be vulnerable to identity theft. The business entity must conduct a risk assessment. The assessment must consider any actual incidents of identity theft a business has experienced.

If your business is a "financial institution" or a "creditor" and maintains "covered accounts" and is subject to the jurisdiction of the FTC or another appropriate U.S. regulator, a Program is required.

What Is a Compliant Identity Theft Program?

Programs must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft and enable a financial institution or creditor to:

  • identify relevant patterns, practices, and specific forms of activity that are "red flags" signaling possible identity theft and incorporate those red flags into the Program
  • detect red flags that have been incorporated into the Program
  • respond appropriately to any red flags that are detected to prevent and mitigate identity theft, and
  • ensure the Program is updated periodically to reflect changes in risks from identity theft.

Written Programs need not be complex, provided a few fundamentals are incorporated. If an organization determines that its operations present a low risk for identity theft, the program can likely incorporate its existing informal procedures. After all, most businesses, as a matter of course, would take action upon receiving a report of identity theft concerning one of their accounts or being presented with truly suspicious account documents or clearly inconsistent personal identification.

Pepper Point: Bottom Line? Under the expansive definitions, there are potentially millions of U.S. "creditors" and "financial institutions." Many maintain accounts "primarily for personal, family, or household purposes, that involve or are designed to permit multiple payments or transactions." Many more will find it difficult to determine if they maintain "any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft."

Although there is no private right of action under the Red Flags Rule, failure to comply with the Red Flags Rule could expose a company to negligence-based litigation risk, not to mention action by a regulator. Compliance for low-risk organizations may largely incorporate prudent business procedures. The default should be to create and enforce a Program compliant with the Red Flags Rule.

Entities operating exclusively outside the United States but who meet the definition of "creditor" or that of "financial institution" and who have "covered accounts" with more than a few U.S. parties, should strongly consider adopting a U.S. Complaint Program, if for no other reason than customer expectations.


1 The Red Flags Rule was originally enacted as part of the Fair and Accurate Credit Transactions Act. Recent developments affecting the Red Flags Rule include the U.S. District Court for the District of Columbia decision in October that the FTC may not apply the Red Flags Rule to attorneys, and bill H.R. 3763 (passed by a House vote of 400-0 and currently awaiting Senate action) that would exclude any health care practice, accounting practice, or legal practice with 20 or fewer employees from the meaning of "creditor" under the Red Flags Rule. H.R. 3763 would additionally exclude from the definition of creditor under the Red Flags Rule any other business that the FTC determines: (1) knows all its customers or clients individually, (2) only performs services in or around the residences of its customers, or (3) has not experienced incidents of identity theft and identity theft is rare for businesses of that type.

2 See http://www.fdic.gov/news/news/press/2009/pr09088a.html. Like many federal consumer protection laws, the Red Flags Rule does not expressly address extraterritorial applicability. Entities located outside the United States, such as foreign branches of U.S. banks, are generally not required to comply with the new rules. However, the Board of Governors of the Federal Reserve System, the FDIC, the National Credit Union Administration, the Office of the Comptroller of the Currency, the Office of Thrift Supervision and the FTC have collectively advised, as a matter of safety and soundness, that financial institutions are strongly encouraged to implement an effective identity theft prevention program throughout their operations, including in their foreign offices, consistent with local laws.

3 Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. Creditors include, but are certainly not limited to finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies.

4 http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus23.shtm.

Gregory J. Nowak and Matthew R. Silver

The material in this publication was created as of the date set forth above and is based on laws, court decisions, administrative rulings and congressional materials that existed at that time, and should not be construed as legal advice or legal opinions on specific facts. The information in this publication is not intended to create, and the transmission and receipt of it does not constitute, a lawyer-client relationship.

Data protection laws have changed, so we have revised our Privacy Policy.