Our recent Advisory Bulletin recounts how the FTC recently issued issued a gentle reminder
that companies should be well along in getting their Identity Theft Red Flag programs in place in anticipation of the November 2008 compliance deadline. The FTC's notice announced that it also has launched an outreach effort to explain the rules, which included publication of a very general alert
on what the rules require and what types of businesses must comply.
The Identity Theft Red Flag Rules were jointly adopted last year by the FTC and five other federal agencies (the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, and the National Credit Union Administration) pursuant to the Fair and Accurate Credit Transaction Act of 2003. Under the rules, financial institutions and “creditors” with “covered accounts” must have identity theft prevention programs in place and operating by November 1, 2008. The programs must identify, detect and respond to patterns, practices or specific activities that could indicate an account holder has been the victim of — or is engaged in — identity theft.
As explained in the DWT advisory, all types of financial institutions and most electronic service providers (including video, Internet and voice service providers) will have “covered accounts” governed by these new rules and therefore must have designed, implemented and begun operating an internal system to detect and combat identity theft no later than November 1, 2008. The advisory provides the relevant definitions and other triggering terms in the rules, and an overview of what they require.