Compliance with Red Flag Regulations

 

In response to the growing threat of identity theft, the United States Congress passed the Fair and Accurate Credit Transactions Act of 2003.  This amendment to the Fair Credit Reporting Act required that the Federal Trade Commission promulgate rules designed to “flag” and prevent identity theft.  On November 7, 2007, the Federal Trade Commission promulgated the final rules, known as “Red Flag” rules which go into effect May 1, 2009.  Colleges and universities may be subject to the Red Flag regulations and may need to comply with the "Red Flag" rules. 

 

The "Red Flag" rules apply to “financial institutions” and “creditors” with “covered accounts” or, more specifically, to financial institutions and creditors that offer or maintain accounts that provide for multiple transactions primarily for personal, family, or household purposes.  The rules define “covered account” as “a continuing relationship established to provide a financial product or service that a financial holding company could offer by engaging in an activity that is financial in nature or incidental to such a financial activity under section 4(k) of the Bank Holding Company Act, 12 U.S.C. 1843(k).”

 

It is likely that most institutions of higher learning will be considered a covered entity under the rules and subject to compliance because they may act as a “creditor” under the rules.  “Creditors” are defined as an entity that engages in one or more of the following activities:

 

• Regularly extending, renewing, or continuing credit;
• Regularly arranging for the extension, renewal, or continuation of credit; or
• Acting as an assignee of an original creditor who participates in the decision to extend, renew, or continue credit.

 

The definition of "creditor" would appear to encompass many institutions of higher learning.  As such, there are a number of considerations that must be addressed by institutions of higher learning.

 

First, under the Red Flag rules, users of consumer reports must develop reasonable policies and procedures to apply when they receive notice of an address discrepancy from a consumer reporting agency.  This provision would apply to areas that an institution engages that utilize consumer reporting agencies for any reason, i.e., credit or background checks for loan issuance or collection purposes, or for new hire applicants or similar reasons.

 

Second, the Red Flag rules also require financial institutions and creditors holding “covered accounts” to develop and implement a written identity theft prevention program for both new and existing accounts. This provision applies to any areas that an institution that issue any type of credit, such as a Perkins Loans, Short Term Loans for Students or Faculty/Staff, Housing Payment Plans, Transportation Payment Plans, Student Tuition/Fee Deferred Payment Plans or the like.

 

Finally, if your institution issues debit and credit cards, you must develop policies and procedures to assess the validity of a request for a change of address that is followed closely by a request for an additional or replacement card.  Whether you comply with this portion of the rule may depend on, among other things, whether your institution uses a closed loop system and whether that system is processed internally or through the regular debit/credit card network.  

 

Simply put, the Red Flags rules require institutions of higher learning to develop a written program that identifies and detects the relevant warning signs – or “red flags” – of identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. The program must be managed by the Board of Directors or senior employees, include appropriate staff training, and provide for oversight of any service providers.

 

Many institutions of higher learning are working to implement their own Red Flag programs to ensure compliance by May 1, 2009.  We would be pleased to discuss our experience with you and guide you through the compliance process. 

 

 

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice.  The reader must consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.