{ Banner Image }

Just the Facts: The New Fact Act and Identity Theft Red Flag Rules

Click to Share Share  |  Twitter Facebook
Administrative & Municipal Practice Group
Foster Swift Municipal Law News
October 2008

Many of you may have heard about a new federal law called the FACT Act, or new federal rules often referred to as "Red Flag Rules." Some of you may also have heard that those Red Flag Rules concern identity theft issues. Even if you’ve heard of the FACT Act or Red Flag Rules, some of you might still be wondering whether your municipality must take any actions in response to the FACT Act and Red Flag Rules. If you fall into the category described in that last sentence, then this summary is for you.

Below is a quick summary of some of the details behind those Red Flag Rules and how they may apply to municipalities.

What is the FACT Act?

The FACT Act stands for the Fair and Accurate Credit Transactions Act of 2003. The FACT Act added several new provisions to the Fair Credit Reporting Act, 15 USC 1681 et seq. The most relevant part of the FACT Act here is Section 114, 15 USC 1681 m(e). Section 114 of the FACT Act directs the Federal Trade Commission, with input from other federal agencies (collectively, the Agencies), to create rules regarding ways to detect, prevent, and mitigate identity theft, and to identify who must have an identity theft policy.

What are the Red Flag Rules?

Pursuant to the FACT Act’s charge that the Agencies create new rules on identity theft issues, the Agencies then began the process to do so. On November, 2007, the Agencies eventually agreed on and adopted these new federal rules. Those new federal rules are very detailed and comprehensive. Among other things, those new federal rules require that all "financial institutions" and "creditors" that maintain a "covered account" adopt an Identity Theft Prevention Program that is designed to detect, prevent, and mitigate identity theft by identifying "red flags." The new federal rules define a "red flag" as "a pattern, practice, or specific activity that indicates the possible existence of identity theft."

Appendix J of the new federal rules then lists 26 illustrative examples of red flags that such a Program might address. Among other things, those red flags cover situations involving receipt of suspicious documents (such as identification documents that appear to have been forged); receipt of suspicious personal identifying information (lack of correlation between the Social Security Number range and date of birth); or unusual use of or suspicious activity related to a covered account (mail sent to the customer is repeatedly returned as undeliverable). It is these 26 red flag examples, along with the Agencies’ new federal rules, that are commonly referred to as the Red Flag Rules.

So what exactly do the FACT Act and Red Flag Rules require?

The heart of the FACT Act and Red Flag Rules is understanding their scope. Under them, all "financial institutions" and "creditors" who maintain "covered accounts" must develop and implement a written Program. The new rules define those key terms as follows:

  • A "financial institution" is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other person that directly or indirectly holds a transaction account belonging to a customer.
  • A "creditor" is defined as including any person who offers or extends credit creating a debt or to whom a debt is owed, and includes a utility company or telecommunication company.
  • A "covered account" is defined as follows:
    • an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a utility account, credit card account, mortgage loan, automobile loan, margin account, cell phone account, checking account, or savings account; or
    • any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft.

So do all municipalities have to adopt an Identity Theft Prevention Program?

Only entities that meet the above definitions must adopt such a Program. The key question in that analysis is whether the municipality maintains any "covered accounts." Municipalities who maintain utility accounts, for example, are subject to having such a Program.

If the FACT Act and Red Flag Rules apply to a municipality, what must their Identity Theft Program contain?

The new federal rules give specific items that a Program must include. Generally stated, the Program must be designed to detect, prevent, and mitigate identity theft, and should be tailored to the entity’s size, complexity, and nature of operations.

There are six basic elements that must be included in such a Program. The Program must contain "reasonable policies and procedures" to

  • Identify relevant Red Flags for covered accounts and incorporate those Red Flags into the Program;
  • Detect Red Flags that have been incorporated into the Program;
  • Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft;
  • Ensure the Program – and relevant Red Flags – are updated periodically to reflect changes in risks to customers or to the safety and soundness of the entity from identity theft;
  • Provide for continued administration of the Program, by getting approval of the initial written Program from the governing body of the municipality; involving the governing body or a designated employee at senior management level with oversight, development, implementation, and administration of the Program; training staff to implement the Program; and exercising oversight of service provider arrangements; and
  • Consider the Red Flags listed in Appendix J of the new federal rules, and include in its Program those guidelines that are appropriate.

Is there an important deadline I should know about?

All entities who are required to adopt an Identity Theft Program must do so by November 1, 2008.

Foster, Swift, Collins & Smith, P.C.’s municipal team is well-versed in the FACT Act, its Red Flag Rules, and preparing Identity Theft Prevention Programs. Please let us know if you would like Foster, Swift, Collins & Smith, P.C. to help with your questions on the subject.