ANN ARBOR – Several governmental agencies jointly issued final rules addressing implementation of Section 114 and Section 315 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). If any of the following agencies have oversight with respect to your business, you may have an affirmative obligation to comply with the Identity Theft Red Flag Rules.

Office of the Comptroller of the Currency, Treasury (OCC)

Board of Governors of the Federal Reserve System (Board)

Federal Deposit Insurance Corporation (FDIC)

Office of Thrift Supervision, Treasury (OTS)

National Credit Union Administration (NCUA)

Federal Trade Commission (FTC)

What are the Identity Theft Red Flag Rules?

The Red Flag rules are the guidelines issued from these agencies and are directed at detecting, preventing and mitigating identity theft in connection with certain customer accounts. These guidelines require that the subject businesses write and then maintain an Identity Theft Prevention Program.

.

Which Customer Accounts are covered under these new rules?

An account under these rules includes an account that a financial institution or creditor offers or maintains primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card, mortgage loan, auto loan, cell phone, utility or checking account. ?41.90(b)(3)(i).

.

What is a Red Flag under these rules?

A Red Flag is defined a pattern, practice, or specific activity that indicates the possible existence of identity theft. Each enterprise must identify the relevant Red Flags for their customer accounts, have a detection protocol for these Red Flags, and then be able to respond to the triggering of the Red Flags.

What are some of the specific duties targeted by the Red Flag Rules?

The specific duties targeted include the user of consumer reports that receives a notice of address discrepancy from a consumer reporting agency which informs the user of a substantial difference between the address for the consumer that the user provided for the request of the consumer report and the address reported by the agency. ?41.82(b).

What is an Identity Theft Prevention Program?

Subject businesses are required to create and implement a Program that controls the reasonably foreseeable risks to customers? information or to the creditor or financial institution that has custody of the customer?s data. It must incorporate periodic risk assessments that take into consideration methods of opening accounts, accessing accounts, and include the enterprises previous experience with identity theft.

When are the Red Flag Rules effective?

The rules were effective as of January 1, 2008 with a mandatory compliance date of November 1, 2008. NOTE: Last week the Federal Trade Commission issued a statement that it would suspend enforcement until May 1, 2009. This announcement does not affect the compliance date of businesses under the purview of the other listed federal agencies.

Carol Romej is a shareholder in Butzel Long and is co chair of the Technology & eCommerce Group. She also co chairs the Electronic Discovery and Data Records Management. Romej works out of offices in Ann Arbor and Bloomfield Hills. Her phone number is (248) 593-2098. email [email protected]

a>>