The “Identity Theft Red Flag Rules” (Rules) impose mandatory compliance with the regulations that require financial institutions or creditors to establish (1) protocols on discrepancies between an address requested in a consumer report and the address in the consumer reporting agency's file, and (2) policies and procedures to assess the validity of a change of address. Most important, however, the Rules require these same financial institutions or creditors to develop and implement a written Identity Theft Prevention Program to detect, prevent, and mitigate identity theft in connection with a covered account. Examples of identity theft red flags include: (1) warning from consumer reporting agencies, (2) suspicious documents, or (3) suspicious personal information. Enforcement of the Rules have been delayed for six months until May 2009.
The final rule and regulations were jointly issued on November 9, 2007, by the Federal Trade Commission and Federal Deposit Insurance Corporation, along with other federal financial institution regulatory agencies, at 16 C.F.R. section 681.1 et seq., to implement section 114 of the Fair and Accurate Credit Transactions Act of 2003 and section 315 of the FACT Act.
The Rules apply not only to financial institutions and creditors such as banks, credit unions, savings associations, mortgage lenders, mortgage brokers, auto dealers, phone companies, utility companies, but to the health care industry as well, according to Kevin D. Lyles of Jones Day, and Naomi Lefkovitz of the FTC, Division of Privacy and Identity Protection. Lyles and Lefkovitz provided a detailed explanation of the requirements of the Rule and answered questions at a Society of Corporate Compliance and Ethics web conference on October 15, 2008.
The breadth of the Rules comes from the broad definition of creditors. Creditor means “any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.” Consequently, many health care entities may be involved in the process of extending or maintaining credit and, therefore, must comply with the Rules, even though they do not extend credit themselves. For instance, a physician that provides a medical exam, but sends a bill at the end of the month would fall under these regulations. Hospitals that defer payment for items and services, likewise, would be considered creditors. The Rules state a creditor has a duty to protect against identity theft in connection with a “covered account” that “a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions.”
CCH Chicago Bureau.