Red Flags Rule Delayed Until November 1, 2009
The Federal Trade Commission (“FTC”) has announced that it has extended the deadline for complying with its new identity-theft regulations, commonly referred to as the Red Flags Rule, from August 1, 2009, to November 1, 2009. These regulations, which concern the FTC’s enforcement of the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”), will impose obligations not only on certain financial institutions and creditors – but also on employers that use consumer reporting agencies to obtain background information on applicants for employment, and others.
This is the FTC’s second recent extension of the deadline for complying with the Red Flags Rule. In April 2009, the FTC announced that it would delay enforcement of the regulations until August 1, 2009, to give covered entities additional time to prepare. Notably, other federal agencies commenced enforcement of the Red Flags Rule on November 1, 2008, for institutions subject to their oversight.
Coverage of Regulations
Generally, any public or private entity that meets the definition of a “financial institution” or “creditor” with “covered accounts” will be covered by the Red Flags Rule. Although much in the regulations is directed at banks and other financial institutions that provide credit to consumers, the new regulations also apply to entities that obtain consumer reports from third-party agencies – in the case of employers, for the purpose of making hiring, promotion and other employment-related decisions. Although users of consumer reports are covered by the new regulations only to the extent that they obtain the consumer reports from nationwide credit reporting agencies (such as Experian, Equifax and TransUnion), this encompasses a significant number of the consumer reports obtained by employers.
The new regulations will come into play for an employer when it receives a “notice of address discrepancy” from a nationwide credit-reporting agency in response to a request by the employer for a consumer report on an individual. A notice of address discrepancy will be sent by a consumer reporting agency when the address provided by the employer differs substantially from the address contained in the consumer report provided by the agency.
Requirements for Employers
Under the new regulations, an employer must implement reasonable policies and procedures designed to enable it, in response to a notice of address discrepancy, to form a “reasonable belief” that the consumer report relates to the individual about whom the report was requested. The regulations state that possible examples of such policies and procedures include:
- Comparing the information in the consumer report provided by the agency with identity-confirming information that the employer uses under the federal Customer Information Program rules;
- Comparing the information in the consumer report with information that the employer maintains in its own records (such as job applications or change-of-address notifications); and
- Verifying the information directly with the individual to whom it relates.
After following such policies and procedures, an employer must furnish any address reasonably confirmed as accurate to the consumer reporting agency, provided that the employer:
- Has been able to form a reasonable belief that the consumer report corresponds to the individual about whom the report was requested;
- Regularly and in the ordinary course of business furnishes information to the consumer reporting agency that provided the notice of address discrepancy; and
- Has a “continuing relationship” with the individual. (Although the regulations do not define a “continuing relationship,” this presumably includes any instance in which an employer hires or retains an individual as an employee after obtaining a consumer report regarding him or her.)
The employer must report the confirmed address as part of the information regularly furnished to the consumer reporting agency for the reporting period in which the relationship with the individual was established.
Failure to comply with the Red Flags Rule can result in substantial liability, including actual and punitive damages, costs and attorneys’ fees. In addition, the FTC can impose civil penalties of up to $3,500 per violation. Thus, employers are advised to review the new regulations carefully to ensure that their policies and procedures for obtaining and processing consumer reports from nationwide consumer reporting agencies are fully compliant.
The Red Flags Rule, which has been published in the Federal Register at 16 C.F.R., Part 681, can be found by typing the following link into the address bar of your Internet browser:
In addition, the FTC has established a web site at www.ftc.gov/redflagsrule to assist covered entities with compliance programs. The FTC web site provides, among other things, a “how-to” guide for businesses seeking to create a Written Identity Theft Prevention Program in accordance with the Red Flags Rule.
Massachusetts employers covered by both the Red Flags Rule and the new Massachusetts data security regulations effective January 1, 2010, are urged to develop a Written Identity Theft Prevention Program that is consistent with the Written Information Security Program required by the Massachusetts Data Security Breach Law, codified in Chapter 93H, Sections 1-6 of the Massachusetts General Laws, and whose implementing regulations appear in Part 201, Section 17.00 of the Code of Massachusetts Regulations.
Please feel free to contact us if you have questions about the use of consumer reports in background checks, the Red Flags Rule, or the Massachusetts data security law and its corresponding regulations.