What Owners Need to Know About the Federal "Red Flags Rule"
The Red Flags Rule is a regulation published by the Federal Trade Commission (FTC) under its consumer protection authority to compel businesses to develop written plans to combat identity theft. It was created under the authority of the Fair and Accurate Credit Transactions Act (FACTA) and the federal Fair Credit Reporting Act (FCRA).
This federal regulation could expose owners and property managers to significant liability. We will explain what the Red Flags Rule is and provide some guidance for becoming compliant. This is especially important as enforcement of the regulation starts on Jan. 1, 2011.
What Is the FACTA Red Flags Rule?
The Red Flags Rule requires financial institutions and creditors that have “covered accounts” to develop and implement written identity theft prevention programs. The purpose of those identity theft programs is to help identify, monitor for, detect, and respond to patterns, practices, or specific activities—known as “red flags—that could indicate that an instance of identity theft has occurred or might occur in the future.
Red flags include unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents, as well as other atypical, strange, or suspicious activity related to an individual's personal information.
Five general red flag categories and 26 specific potential red flag events are identified by the FTC in a supplement to the regulation. The general categories include:
- Alerts, notifications, or warnings from a consumer reporting agency;
- Suspicious documents;
- Suspicious personally identifying information, such as a suspicious address;
- Unusual use of—or suspicious activity relating to—a covered account; and
- Notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts.
Who Is Covered by the Rule?
Financial institutions and creditors are covered by the rule. While determining what is a financial institution is fairly straightforward, defining a creditor under the rule is more complicated. Under the Red Flags Rule you are a creditor if you:
- Extend, renew, or continue credit;
- Arrange for someone else to extend, renew, or continue credit; or
- Are the assignee of a creditor who is involved in the decision to extend, renew, or continue credit.
Under the Red Flags Rule, “credit” means an agreement in which payment is deferred or made subsequent to the purchase of property or services.
What Is a Covered Account?
If you are a covered financial institution or creditor, the second test for determining whether the Red Flags Rule applies to you is: Do you have covered accounts? There are two types of covered accounts:
A consumer account that involves multiple payments or transactions, such as credit card accounts, mortgage loans, car loans, margin accounts, cell phone accounts, utility accounts, and checking or savings accounts; or
An account where there is a reasonably foreseeable risk of identity theft. Coverage here can be triggered by the vulnerability of the business due to business type, size, or available resources, along with other factors.
How the Rule Applies to Owners, Property Management Companies
Unfortunately, the regulation doesn't specifically name owners and property management companies as examples of covered businesses or exempt businesses. While an owner is not generally thought of as a creditor, the FTC has stated that it will take a broad view of the term.
An owner may be deemed to extend credit any time it enters into a partial payment agreement with a tenant. Also, owners of master-metered buildings are likely to be considered creditors if they charge for utilities after the fact, based upon individual usage.
Although it is unknown whether the FTC will actually enforce this regulation against owners and management companies, owners should consider coming up with a policy that meets the standards of the Red Flags Rule.
If applied to owners and management companies, the rule requires written plans saying what the business is doing to identify red flags indicating a possible identity theft problem, and to state how it aims to prevent identity theft. The plan also needs to specifically say what steps the company has taken to protect and safeguard customer information, and what procedures are in place to ensure those steps remain effective. Finally, the program needs to identify who is responsible for the components of the program and for training affected personnel.
The FTC has created an interactive form for businesses and organizations at low risk for identity fraud to assist them in developing an appropriate identity theft prevention program. The form can be found at www.ftc.gov/bcp/edu/microsites/redflagsrule/RedFlags_forLowRiskBusinesses.pdf.