December 13, 2018

FTC Requests Comment on Identity Theft Detection Rules

The Federal Trade Commission (FTC) published a Notice in the Federal Register on December 4, 2018 seeking public comment on whether any changes should be made to the FTC's identity theft detection rules. According to the Notice, the FTC is soliciting commentary on the benefits and costs of the identity theft prevention rules implementing Section 615 of the Fair Credit Reporting Act (FCRA), as well as their regulatory and economic impacts on consumers and the industry. The request for comment comes as part of the FTC's systematic review of all of its guides and regulations, and focuses on the Red Flags Rule and the Card Issuers Rule.

The Red Flags Rule requires financial institutions and certain creditors under the FTC's enforcement authority to develop and maintain a written Identity Theft Prevention Program to detect, prevent, and mitigate identity theft in connection with the opening or existence of any "covered account." These accounts generally entail consumer accounts that may handle multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account, or any other account where there is a reasonably foreseeable risk to consumers or the institution arising from identify theft.

The Card Issuers Rule requires debit and credit card issuers to establish and implement reasonable policies and procedures for assessing the validity of a change of address request when, shortly thereafter, the issuer receives a request for an additional or replacement card for the same account. The Rule prohibits card issuers from issuing the additional or replacement card until it has 1) notified the cardholder of the request and provided a reasonable means for the cardholder to promptly report an incorrect address change, or 2) otherwise assessed the validity of the address change.

The Notice poses specific questions and requests general information regarding the rule, such as the following:

  • Is there a continuing need for specific provisions of the Rules? Why or why not?
  • What benefits have the Rules provided to consumers? What evidence supports the asserted benefits?
  • What modifications, if any, should be made to the Rules to increase their benefits to businesses, including small businesses?
  • What modifications, if any, should be made to the Rules to account for changes in relevant technology or economic conditions? What evidence supports the proposed modifications?
  • Do the guidelines in appendix A of the Red Flags Rule need updating? If so, what updates should be made?
  • Is there any other type of creditor that is not subject to the Red Flags Rule that offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft?

The Notice provides instructions for making a submission to the FTC; the comment submission period is open until February 11, 2019.