The Red Flags Rule was created by the Federal Trade Commission (FTC), along with other government agencies such as the National Credit Union Administration (NCUA), to help prevent identity theft. The rule was passed in January 2008, and was to be in place by November 1, 2008, but due to push-backs by opposition, the FTC delayed enforcement until December 31, 2010. [1]
In December 2010, the Red Flags Rule was clarified by the Red Flag Program Clarification Act of 2010 [2] to exclude most doctors, lawyers, and other professionals who do not receive full payment at the time when their service is furnished.
The Red Flags Rule was based on section 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003 [3] (FACTA).
FACTA was put in place to help
There are two different groups that this rule applies to: Financial Institutions and Creditors. [5] Financial institution is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a “transaction account” belonging to a consumer. [6] FACTA’s definition of “creditor” applies to any entity that regularly extends or renews credit – or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services [7]
The definition of a creditor was clarified by the Red Flag Program Clarification Act of 2010. [2] Under the Clarification Act, a creditor regularly and in the course of business:
This definition was further clarified United States Court of Appeals For the District of Columbia Circuit in its March 4, 2010 ruling on The American Bar Association vs. Federal Trade Commission. [8] The court affirmed Senator Dodd's statement regarding the bill that "lawyers, doctors, ... and other service providers [are] no longer classified as 'creditors' for the purpose of the red flags rule just because they do not receive payment in full from their clients at the time they provide their services."
There are many different companies that this rule applies to: this list includes, but is not limited to finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies; or any other company that advances funds or routinely interacts with consumer credit agencies when performing a service and receiving payment once the work is complete
The Red Flags Rule sets out how certain businesses and organizations must develop, implement, and administer their Identity Theft Prevention Programs. The program must include four basic elements, which together create a framework to address the threat of identity theft. [9] [10]
The program has four elements:
1) Identify Relevant Red Flags
2) Detect Red Flags
3) Prevent and Mitigate Identity Theft
4) Update Program
The Red Flags Rules provide all financial institutions and creditors the opportunity to design and implement a program that is appropriate to their size and complexity, as well as the nature of their operations. [6]
The red flags fall into five categories:
The FTC has a created a template for businesses that can be populated to meet an individual company's needs. The template can be found on the FTC website. This template however is appropriate only for small, very low risk businesses.
The Fair Credit Reporting Act of 1970, as amended in 2003 (FCRA), required several federal agencies to issue joint rules and guidelines regarding the detection, prevention, and mitigation of identity theft for entities that are subject to their respective enforcement authorities (also known as the “identity theft red flags rules”). [11] Those agencies were the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Federal Reserve Board), the Federal Deposit Insurance Corporation (FDIC), the Office of Thrift Supervision (OTS), the National Credit Union Administration (NCUA), and the Federal Trade Commission (FTC) (together, the “Agencies”). In 2007, the Agencies issued joint final identity theft red flags rules. [12]
On January 1, 2011, the FTC began enforcing its Fair and Accurate Credit Transactions Act of 2003 (FACT Act) Red Flags Rule. The Red Flags Rule requires that each "financial institution" or "creditor"—which includes most securities firms—implement a written program to detect, prevent and mitigate identity theft in connection with the opening or maintenance of "covered accounts." These include consumer accounts that permit multiple payments or transactions, such as a retail brokerage account, credit card account, margin account, checking or savings account, or any other accounts with a reasonably foreseeable risk to customers or your firm from identity theft.
On July 21, 2011, the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) transferred responsibility for rulemaking and enforcement of identity theft red flag rules and guidelines to the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) for the firms they regulate.
On April 19, 2013 the SEC and CFTC published their joint final Identity Theft Red Flags Rule and guidelines to be effective May 20, 2013, with a compliance date of November 20, 2013. The rule and guidelines do not contain requirements that were not already in the FTC Red Flags Rule and guidelines, and do not expand the scope of that rule to include new categories of entities that the rule did not already cover. They do, however, contain examples and minor language changes designed to help guide entities within the SEC's enforcement authority in complying with the rule, which may lead some entities that had not previously complied with the rule to determine that they fall within the scope of the rule that the SEC and CFTC adopted.
As the Red Flag rule widely defines creditors, many businesses (such as utilities) are required to collect personal information (such as SSN and Driver’s License Numbers) that are not needed for business purposes. This policy is contrary to the FTC’s advice to consumers that they should disclose their social security number to others only when absolutely necessary. [13] This aspect of the Red Flag rule has the unintended consequences of increasing the number of business that hold consumers' Social Security numbers thereby putting consumers at greater risk for identity theft through data theft and increasing costs for businesses who are required to secure this data.
The U.S. Securities and Exchange Commission (SEC) is an independent agency of the United States federal government, created in the aftermath of the Wall Street Crash of 1929. The primary purpose of the SEC is to enforce the law against market manipulation.
The Federal Trade Commission Act of 1914 is a United States federal law which established the Federal Trade Commission. The Act was signed into law by US President Woodrow Wilson in 1914 and outlaws unfair methods of competition and unfair acts or practices that affect commerce.
A paper shredder is a mechanical device used to cut sheets of paper into either strips or fine particles. Government organizations, businesses, and private individuals use shredders to destroy private, confidential, or otherwise sensitive documents.
Identity theft, identity piracy or identity infringement occurs when someone uses another's personal identifying information, like their name, identifying number, or credit card number, without their permission, to commit fraud or other crimes. The term identity theft was coined in 1964. Since that time, the definition of identity theft has been legally defined throughout both the U.K. and the U.S. as the theft of personally identifiable information. Identity theft deliberately uses someone else's identity as a method to gain financial advantages or obtain credit and other benefits. The person whose identity has been stolen may suffer adverse consequences, especially if they are falsely held responsible for the perpetrator's actions. Personally identifiable information generally includes a person's name, date of birth, social security number, driver's license number, bank account or credit card numbers, PINs, electronic signatures, fingerprints, passwords, or any other information that can be used to access a person's financial resources.
The Federal Trade Commission (FTC) is an independent agency of the United States government whose principal mission is the enforcement of civil (non-criminal) antitrust law and the promotion of consumer protection. The FTC shares jurisdiction over federal civil antitrust law enforcement with the Department of Justice Antitrust Division. The agency is headquartered in the Federal Trade Commission Building in Washington, DC.
The Fair Debt Collection Practices Act (FDCPA), Pub. L. 95-109; 91 Stat. 874, codified as 15 U.S.C. § 1692 –1692p, approved on September 20, 1977, is a consumer protection amendment, establishing legal protection from abusive debt collection practices, to the Consumer Credit Protection Act, as Title VIII of that Act. The statute's stated purposes are: to eliminate abusive practices in the collection of consumer debts, to promote fair debt collection, and to provide consumers with an avenue for disputing and obtaining validation of debt information in order to ensure the information's accuracy. The Act creates guidelines under which debt collectors may conduct business, defines rights of consumers involved with debt collectors, and prescribes penalties and remedies for violations of the Act. It is sometimes used in conjunction with the Fair Credit Reporting Act.
The Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 et seq., is federal legislation enacted to promote the accuracy, fairness, and privacy of consumer information contained in the files of consumer reporting agencies. It was intended to shield consumers from the willful and/or negligent inclusion of erroneous data in their credit reports. To that end, the FCRA regulates the collection, dissemination, and use of consumer information, including consumer credit information. Together with the Fair Debt Collection Practices Act (FDCPA), the FCRA forms the foundation of consumer rights law in the United States. It was originally passed in 1970, and is enforced by the U.S. Federal Trade Commission, the Consumer Financial Protection Bureau, and private litigants.
A credit history is a record of a borrower's responsible repayment of debts. A credit report is a record of the borrower's credit history from a number of sources, including banks, credit card companies, collection agencies, and governments. A borrower's credit score is the result of a mathematical algorithm applied to a credit report and other sources of information to predict future delinquency.
Debt collection is the process of pursuing payments of money or other agreed-upon value owed to a creditor. The debtors may be individuals or businesses. An organization that specializes in debt collection is known as a collection agency or debt collector. Most collection agencies operate as agents of creditors and collect debts for a fee or percentage of the total amount owed. Historically, debtors could face debt slavery, debtor's prison, or coercive collection methods. In the 21st century in many countries, legislation regulates debt collectors, and limits harassment and practices deemed unfair.
The Fair and Accurate Credit Transactions Act of 2003 is a U.S. federal law, passed by the United States Congress on November 22, 2003, and signed by President George W. Bush on December 4, 2003, as an amendment to the Fair Credit Reporting Act. The act allows consumers to request and obtain a free credit report once every 12 months from each of the three nationwide consumer credit reporting companies. In cooperation with the Federal Trade Commission, the three major credit reporting agencies set up the web site AnnualCreditReport.com to provide free access to annual credit reports.
Know Your Customer (KYC) guidelines and regulations in financial services require professionals to verify the identity, suitability, and risks involved with maintaining a business relationship with a customer. The procedures fit within the broader scope of anti-money laundering (AML) and counter terrorism financing (CTF) regulations.
A credit bureau is a data collection agency that gathers account information from various creditors and provides that information to a consumer reporting agency in the United States, a credit reference agency in the United Kingdom, a credit reporting body in Australia, a credit information company (CIC) in India, a Special Accessing Entity in the Philippines, and also to private lenders. It is not the same as a credit rating agency.
A Customer Identification Program (CIP) is a United States requirement, where financial institutions need to verify the identity of individuals wishing to conduct financial transactions with them and is a provision of the USA Patriot Act. More commonly known as know your customer, the CIP requirement was implemented by regulations in 2003 which require US financial institutions to develop a CIP proportionate to the size and type of its business. The CIP must be incorporated into the bank's Bank Secrecy Act/Anti-money laundering compliance program, which is subject to approval by the financial institution's board of directors.
A debt buyer is a company, sometimes a collection agency, a private debt collection law firm, or a private investor, that purchases delinquent or charged-off debts from a creditor or lender for a percentage of the face value of the debt based on the potential collectibility of the accounts. The debt buyer can then collect on its own, utilize the services of a third-party collection agency, repackage and resell portions of the purchased portfolio, or use any combination of these options.
Credit card fraud is an inclusive term for fraud committed using a payment card, such as a credit card or debit card. The purpose may be to obtain goods or services or to make payment to another account, which is controlled by a criminal. The Payment Card Industry Data Security Standard is the data security standard created to help financial institutions process card payments securely and reduce card fraud.
Bank regulation in the United States is highly fragmented compared with other G10 countries, where most countries have only one bank regulator. In the U.S., banking is regulated at both the federal and state level. Depending on the type of charter a banking organization has and on its organizational structure, it may be subject to numerous federal and state banking regulations. Apart from the bank regulatory agencies the U.S. maintains separate securities, commodities, and insurance regulatory agencies at the federal and state level, unlike Japan and the United Kingdom. Bank examiners are generally employed to supervise banks and to ensure compliance with regulations.
The United States Commission's fair information practice principles (FIPPs) are guidelines that represent widely accepted concepts concerning fair information practice in an electronic marketplace.
The Personal Data Privacy and Security Act of 2009, was a bill proposed in the United States Congress to increase protection of personally identifiable information by private companies and government agencies, set guidelines and restrictions on personal data sharing by data brokers, and to enhance criminal penalty for identity theft and other violations of data privacy and security. The bill was sponsored in the United States Senate by Patrick Leahy (Democrat-Vermont), where it is known as S.1490.
Chris Jay Hoofnagle is an American professor at the University of California, Berkeley who teaches information privacy law, computer crime law, regulation of online privacy, internet law, and seminars on new technology. Hoofnagle has contributed to the privacy literature by writing privacy law legal reviews and conducting research on the privacy preferences of Americans. Notably, his research demonstrates that most Americans prefer not to be targeted online for advertising and despite claims to the contrary, young people care about privacy and take actions to protect it. Hoofnagle has written scholarly articles regarding identity theft, consumer privacy, U.S. and European privacy laws, and privacy policy suggestions.
Financial privacy laws regulate the manner in which financial institutions handle the nonpublic financial information of consumers. In the United States, financial privacy is regulated through laws enacted at the federal and state level. Federal regulations are primarily represented by the Bank Secrecy Act, Right to Financial Privacy Act, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act. Provisions within other laws like the Credit and Debit Card Receipt Clarification Act of 2007 as well as the Electronic Funds Transfer Act also contribute to financial privacy in the United States. State regulations vary from state to state. While each state approaches financial privacy differently, they mostly draw from federal laws and provide more stringent outlines and definitions. Government agencies like the Consumer Financial Protection Bureau and the Federal Trade Commission provide enforcement for financial privacy regulations.
{{cite web}}
: CS1 maint: archived copy as title (link)