The FTC’s deadline for businesses to develop an Identity Theft Prevention Program was once again extended. Now, companies have until the end of the year to develop a program. The purpose of the extension is to allow Congress time for further exploration into what types of business should be subject to The Red Flag Rules (The Rule). Currently, The Rule applies to financial institutions and creditors with covered accounts. The FTC has specific definitions for financial institutions, creditors and covered accounts as described below.
Examples of financial institutions subject to FTC oversight include state-chartered credit unions, mutual funds that offer accounts with check-writing privileges and other entities that hold consumer transaction accounts (a transaction account is a deposit or other account from which the owner makes payments or transfers). Banks, federally-charted credit unions and savings and loans are subject to regulation by the National Credit Union Administration or federal bank regulatory agencies, not the FTC.
Creditors are entities that regularly extend, renew or continue credit. Entities that regularly arrange credit extensions, renewals and continuations are also considered creditors. Finally, any assignee of an original creditor who is involved in the decision to extend, renew or continue credit is considered a creditor. Possible examples include finance companies, auto dealers, mortgage brokers, healthcare providers, utility companies and telecommunication companies. Non-profit and government entities that defer payment for goods and services are also considered creditors. Simply accepting credit cards as a form of payment does not meet the definition of creditor.
A covered account involves multiple payments or transactions and is an account used primarily for personal, family or household reasons. Examples are credit card accounts, mortgage loans, auto loans, margin accounts, mobile phone accounts, utility accounts, checking accounts and savings accounts. A covered account is also an account with a predictable risk of identity theft such as small business accounts.
If congress is able to quickly pass legislation to resolve issues regarding who is subject to the rules, then the FTC’s extension may be voided and an earlier enforcement deadline could be enacted. Companies concerned with compliance should know that the FTC does not conduct regular compliance audits; however if investigated and found to be in violation of The Rule, the FTC may seek both monetary civil penalties and injunctive relief for the violations(s). The current maximum civil penalty per violation is $3,500.