Update: On May 28, 2010, at the request of several Members of Congress, the Federal Trade Commission announced it is further delaying enforcement of the “Red Flags” Rule through December 31, 2010, while Congress considers legislation that would affect the scope of entities covered by the Rule. If Congress passes legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010, the FTC indicated that it will begin enforcement as of that effective date.
The Identity Theft Red Flags Rule (the “Rule”), 16 C.F.R. Part 681.2, was developed by the Federal Trade Commission pursuant to the Fair and Accurate Credit Transactions Act of 2003. Under the Rule, financial institutions and creditors with covered accounts must have identity theft prevention programs to identify, detect and respond to patterns, practices or specific activities that could indicate identity theft.
While many associations meet the Rule’s definition of a “creditor” because they accept payments over time for good/services provided, such as membership dues, publications, events, etc., many of these associations will not meet the Rule's second prong for coverage, which is having a “covered account.”
An account is “covered” under the Rule if it is for personal/household use. If not, the account can still be “covered” if there is a reasonably foreseeable risk of identity theft to either the account holder or the association, based on past experience in the opening, accessing or transactional use associated with the account.
Therefore, it is crucial to first conduct a risk assessment to see whether or not the association’s risk of identity theft regarding customer accounts (including those of both members and non-members, whether corporate or individual) is reasonably foreseeable; if not, then the association does not have “covered accounts” and is not within the scope of the Rule. In that case, the association should keep a copy of this written risk assessment on file, and update the risk assessment at least annually, as evidence of Rule non-coverage.
If, on the other hand, the risk assessment indicates a reasonably foreseeable risk of ID theft and hence Rule coverage, then the association's Identity Theft Prevention/Red Flag Program must also include a written Policy and Procedures. The following risk assessment tools are one possible way to weigh some of the various facts that might go into such an assessment. But each association must consider its own facts and experiences in dealing with customer account information, to arrive at its own particular assessment of the ID theft risks.
Finally, it is important to remember that there are numerous other laws and regulations, at both the federal and state levels, that may cover associations' privacy and information security practices, depending on the type of information obtained, used, sold/transferred, and retained and/or disposed. Associations, therefore, must consult legal counsel to determine their specific coverage and compliance issues with regard to privacy and information security practices.
* * * * * *
RISK ASSESSMENT
Number of Customers, during the period from 1/1/XX to date: ______________
Number of Customer Transactions, from 1/1/XX to date: __________________
[Appropriate time frame for risk assessment: past 3-5 years preferable, past 2 years minimum. Customers includes both members and non-members, whether corporate or individual]
Risk Assessment Key
O=Open
A=Access (view balance; change personal information; change payment method)
T=Can conduct transactions (make a payment; transfer funds; obtain products)
“Experience” indicates whether association has had previous experiences with identity theft with respect to each specific type of account.
Risk ratings* are “High” (H), “Moderate” (M), and “Low” (L).
*Explanation for risk ratings: Risk ratings are based on the association’s size in terms of customers and annual transactions, the number of individuals authorized to access each customer's account, and the association's existing policies and procedures (such as Internet security, account oversight, account agreements, etc.). The risk also depends on the types of products/services normally sold to each customer, the accessibility of the customer account, the association’s experience with identity theft, and how susceptible the offered products and services are to fraudulent activity.
ASSESSMENT OF ASSOCIATION’S ACCOUNTS/SERVICES, METHODS FOR OPENING ACCOUNTS, METHODS FOR ACCESSING ACCOUNTS
[Association] allows customers to open and access accounts and conduct transactions in-person, by mail, by telephone, and online [modify and change accordingly, both here and on following charts, to eliminate any irrelevant charts or portions thereof]. The risk of identity theft relating to the type of account, and the means of opening and accessing accounts and conducting transactions, are assessed below:
IN-PERSON
| Accounts Offered | Interaction | IDT Experience | Risk |
| Large corporate accounts | |||
| Small corporate accounts | |||
| [insert any other distinct types of account] | |||
| Sole proprietorship/ individual accounts |
The overall risk rating for account opening, accessing accounts, and conducting transactions in person is [low/medium/high].
BY MAIL
| Accounts Offered | Interaction | IDT Experience | Risk |
| Large corporate accounts | |||
| Small corporate accounts | |||
| [insert any other distinct types of account] | |||
| Sole proprietorship/ individual accounts |
The overall risk rating for account opening, accessing accounts, and conducting transactions in person is [low/medium/high].
BY TELEPHONE
| Accounts Offered | Interaction | IDT Experience | Risk |
| Large corporate accounts | |||
| Small corporate accounts | |||
| [insert any other distinct types of account] | |||
| Sole proprietorship/ individual accounts |
The overall risk rating for account opening, accessing accounts, and conducting transactions in person is [low/medium/high].
ONLINE
| Accounts Offered | Interaction | IDT Experience | Risk |
| Large corporate accounts | |||
| Small corporate accounts | |||
| [insert any other distinct types of account] | |||
| Sole proprietorship/ individual accounts |
The overall risk rating for account opening, accessing accounts, and conducting transactions in person is [low/medium/high].
[Note: In determining the association's risk regarding accounts/services and methods for opening and accessing accounts/services, you should review all types of accounts/services offered to customers, and note any restrictions on accounts/service availability that might mitigate risk. Also, review all methods for opening and accessing accounts/services and any restrictions that might mitigate risk.]
ASSESSMENT OF ASSOCIATION'S PRIOR EXPERIENCES WITH INFORMATION SECURITY BREACHES AND/OR IDENTITY THEFT CONCERNING CUSTOMER ACCOUNTS
[Association] had [number] data security breach[es] in XXXX, 200X [if true, and modify number and response accordingly]. No customer account information was accessed, and no customer accounts were accessed. In response to this breach, [Association] ______________________ [e.g., monitored accounts for a period of X months and instituted additional identification checks for accessing customer accounts to conduct transactions].
To date, [Association] is aware of [number] occurrence[s] of identity theft, concerning unauthorized access to our customer accounts, either in account opening, account access, or transactions conducted. In response to these occurrences, [Association] ______________ [issued a full credit to each affected customer, and instituted additional identification checks for accessing customer accounts to conduct transactions]. [if true, and modify number and response accordingly].
[Association] maintains all regulatory alerts and business guidance on the Identity Theft Red Flags Rule (16 C.F.R. Part 681) (the “Rule”) issued by the Federal Trade Commission (“FTC”). Based on the above risk assessment and all applicable FTC alerts and business guidance, [Association] assesses the risk to its customer accounts from identity theft to be low. Because these are accounts for which there is not a foreseeable risk of identity theft, these accounts are not “covered accounts” within the meaning of the Rule.
[Note: In determining the association's risk regarding prior experiences with information security breaches and/or identity theft, you should include a description of any past experiences, including the steps taken by the association to prevent any further experiences. Also include other factors such as regulatory actions/findings; legal actions; insurance coverage; and/or independent analysis of any third-party vendors.]
CONCLUSION
While [Association] is a “creditor” within the meaning of the Rule, its customer accounts are not “covered accounts” under the Rule. Based on the above risk assessment, [Association] determines its overall risk regarding identity theft to be low. [but see Note below, if overall risk is medium or high] Because [Association] does not offer accounts for personal or household purposes, and because its customer accounts have experienced few occurrences of identity theft, when viewed in relation to either the total number of accounts or the total number of annual transactions, these accounts do not face a foreseeable risk of identity theft. Therefore, they are not “covered accounts” within the meaning of the Rule.
Because [Association]'s customer accounts do not fall within the scope of the Rule, [Association] is not required to establish any specific Policies or Procedures in order to comply with the Rule. [Association] will conduct a similar Risk Assessment annually, in order to determine whether any changes in identity theft threats have caused its accounts to be considered “covered accounts” under the Rule, and thus to require enactment of such Policies or Procedures.
[Note: The risk assessment should reach an overall conclusion as to the association's risk regarding identity theft. The above conclusion is drafted with a low overall risk assessment, and hence no Rule coverage. However, if the overall risk assessment is medium or high, then the association may conclude that such risk is in fact "reasonably foreseeable" and therefore proceed to develop and enact the Policies/Procedures required by the Rule.]
SIGNED:
NAME/TITLE:
DATED:
* * * * * *
This article is not intended to provide legal advice or opinion and should not be relied on as such. Legal advice can only be provided in response to a specific fact situation.