We are attorneys representing businesses in Houston, Texas. Clients of ours have asked about “red flag” regulations relating to identity theft. Recently, federal authorities created regulations governing consumer “accounts.” Section 114 of the Fair and Accurate Credit Transactions Act directed several government agencies to prescribe joint regulations requiring each financial institution and creditor to establish reasonable policies and procedures for implementing the guidelines, to identify possible risks to account holder or customers or to the safety and soundness of the institution or customer. Financial institutions and creditors must periodically determine whether they offer covered accounts. A “creditor” is a person who arranges for the extension, renewal or continuation of credit, which in some cases could include third-party debt collectors. A “financial institution” is a State or National bank, a State or Federal savings and loan association, a mutual savings bank, a State or Federal credit union, or any other person that, directly or indirectly, holds a transaction account belonging to a consumer.
A “covered account” is (1) an account primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, or (2) any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft. Five factors that help determine whether an account is a “covered account” are (1) the methods the financial institution or creditor provides to open its accounts; (2) the methods it provides to access its accounts; and (3) its previous experiences with identity theft; (4) which of the accounts are subject to a risk of identity theft; and (5) the size, location and customer base of the financial institution or creditor.
The agencies determined that only those financial institutions and creditors that offer or maintain “covered accounts” must develop and implement a written program. The written program must contain reasonable policies and procedures to:
(1) Identify relevant Red Flags (pattern, practice, or specific activity that indicated the possible risk of identity theft) for covered accounts and incorporate those Red Flags into the program;
(2) Detect Red Flags that have been incorporated into the program;
(3) Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and
(4) Ensue the program is updated periodically, to reflect changes in risks to customers or to the safety and soundness of the financial institution or creditor from identity theft.
To allow smaller financial institutions and creditors to tailor their programs to their operations, the program must also be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities. If your business transacts business with consumers and uses or contains sensitive personal information, you may be subject to “red flag” regulations. Consult a qualified attorney to determine if your business is subject to the new regulations.