On June 11, 2009, six federal agencies issued answers to a set of frequently asked questions (FAQ) (.pdf) to “assist financial institutions, creditors, users of consumer reports and card issuers in complying with the final rulemaking” on identity theft. The agencies behind the FAQ are those that originally promulgated the Red Flags Rules (and issued Guidelines to assist covered entities in designing compliance programs): the Federal Trade Commission (FTC), the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS). Some of the highlights from the FAQ are:
- The agencies clarified that ”all banks, savings associations and credit unions are covered by the Red Flags Rules and Guidelines as ‘financial institutions,’ whether or not they hold a transaction account belonging to a consumer,” and including “those whose powers are limited to trust activities;”
- Brokers, dealers, investment advisors or investment or insurance companies (including those that are subsidiaries of a bank or savings association) are covered by the Rules and Guidelines if they are a “financial institution” or creditor” under the Fair Credit Reporting Act.
- IRAs will generally be considered “covered accounts” and thus subject to the Rules and Guidelines;
- The term “covered account” includes accounts established in the United States by non-U.S. residents;
- Check forgery or use of a stolen credit card constitutes “identity theft” because it involves a fraud using the identifying information of another person without authority;
- The Rules and Guidelines do not require a financial institution or creditor to educate consumers regarding the risk of identity theft, although such programs “may be helpful as part of an overall effort to address the problem of identity theft”
- Financial institutions may, but are not required to, use automated systems to detect red flags, but may have to supplement such a systems with non-automated procedures;
- The Rules and Guidelines required financial institutions or creditors to oversee all service provider arrangements that relate to the opening or accessing of a covered account, not just those with providers that offer fraud detection services;
While it is certainly laudable for the agencies to put together a list of answers to various FAQs in order to facilitate the transition to when the Rules and Guidelines go into effect, I found many of the answers to be fairly unhelpful. For starters, most of the questions and answers deal with the Rules and Guidelines only as they relate to financial institutions, even though they will apply to numerous other types of institutions. Moreover, much of the guidance given was extremely vauge. For example, many of the answers to questions regarding covered accounts could be summarized as “it depends on whether the institution determines that there is a foreseeable risk of identity theft.” It would have been helpful for the agencies to provide some examples or other more concrete information. Hopefully the agencies will expand on the FAQ in the near future to address concerns of entities beyond financial institutions and perhaps provide more concrete guidance.
- Frequently Asked Questions: Identity Theft Red Flags and Address Discrepancies (.pdf), also available from the FTC here (.pdf)
- June 11, 2009 Joint Release: Agencies Issue Frequently Asked Questions on Identity Theft Rules