FTC Red Flags
Any financial institution or creditor that holds a covered transaction account, including automobile dealers, utility companies, mortgage brokers, telecommunications companies, finance companies, and certain non-bank financial services
GLBA Model Privacy Notice
Financial institutions subject to the Gramm-Leach-Bliley Act privacy regulations
FACT Act Risk-Based Pricing
Businesses that extend credit to consumers primarily for personal, household, or family purposes
*This list is not exhaustive.
Is your company in compliance? Businesses have until the end of 2010 to address compliance with three different regulatory schemes: the Federal Trade Commission's ("FTC") Red Flags Rule, the Gramm-Leach-Bliley Act ("GLBA") model privacy notice form safe harbor, and the Fair and Accurate Credit Transactions Act of 2003 ("FACT Act") risk-based pricing rules. As explained below, covered entities must comply by December 31, 2010 with the FTC Red Flags Rule; by January 1, 2011 with the FACT Act risk-based pricing rules; and by January 1, 2011, decide whether to comply with the GLBA model privacy notice safe harbor. Institutions should review their policies and procedures to ensure that they are prepared for these fast-approaching enforcement and implementation deadlines.
FTC Red Flags Rule
After a series of deadline extensions, the FTC is scheduled to begin enforcement of its Red Flags Rule on December 31, 2010. The rule is designed to ensure that certain financial institutions and creditors develop and implement identity theft prevention programs to detect, prevent, and mitigate identity theft in connection with certain covered accounts. See 16 C.F.R. § 681.1. Although originally scheduled to go into effect on November 1, 2008, the FTC has extended the rule's enforcement deadline several times, first to ensure that affected entities were aware of and prepared for the rules, and then in response to requests from Members of Congress to delay enforcement while that body contemplates legislation affecting the scope of entities covered. While such legislation is pending in Congress, passage is doubtful during the current lame duck session.
To comply with the December 31, 2010 deadline, covered entities must have developed a written identity theft prevention program that has been approved by the company's Board or an appropriate Board committee. The program's implementation must be overseen by the Board or a designated senior employee. For more information on compliance requirements, see our prior Red Flags Rule Alerts.1
This enforcement deadline does not affect the enforcement of the "Red Flags Rule" already in effect for financial institutions and creditors regulated by the federal bank regulatory agencies or the National Credit Union Administration. Nor does it apply to two related FTC rules already under enforcement: (1) the rule requiring issuers of credit and debit cards to develop policies and procedures to assess the validity of an address change request when that request is followed closely by a request for an additional or replacement card, 16 C.F.R. § 681.2; and (2) the rule requiring users of consumer credit reports to develop policies and procedures to respond to notices from credit reporting agencies regarding address discrepancies, 16 C.F.R. § 641.1.
GLBA Model Privacy Notice
Beginning January 1, 2011, financial institutions regulated under the GLBA must use the GLBA model privacy notice form in order to obtain safe harbor protection under the GLBA privacy rules. The standardized, easy-to-read form is designed to make privacy notices more comprehensible to consumers.
Under the GLBA, as amended by the Financial Services Regulatory Relief Act of 2006, all financial institutions are required to provide initial and annual privacy notices to their customers disclosing their nonpublic, personal information-collection and -sharing practices and informing customers of their right to opt out of certain information-sharing practices. Currently, institutions that utilize sample clauses in their notices from the GLBA privacy rules' appendices generally qualify for a safe harbor, meaning they are deemed in compliance with certain disclosure requirements. This safe harbor expires on December 31, 2010, meaning that any privacy notices sent beginning January 1, 2011 must utilize the model privacy notice form in order to qualify for the safe harbor.
To assist financial institutions in developing their notices, the eight federal agencies2 that have adopted the model privacy notice have provided an "Online Form Builder," available at www.federalreserve.gov/newsevents/press/bcreg/privacy_notice_instructions.pdf.
While use of the model privacy notice form is required in order to obtain safe harbor protection, its use by financial institutions is voluntary; institutions instead may choose to pursue compliance with the notice disclosure requirements without relying on a safe harbor. Indeed, the form presents some challenges to financial institutions, because inclusion of additional information on the form may not be permitted despite the fact that some information-handling practices may not be easily described in the new format. Thus, financial institutions should carefully consider whether to utilize the form.
FACT Act Risk-Based Pricing Rules
Also beginning January 1, 2011, joint rules issued by the Federal Reserve Board and the FTC to implement risk-based pricing notice requirements under Section 311 of the FACT Act, amending the Fair Credit Reporting Act, will go into effect. Businesses that extend credit to consumers primarily for personal, household, or family purposes will be required to provide a risk-based pricing notice to consumers when: (1) a consumer report is used in connection with providing credit with material terms that are materially less favorable than the most favorable terms available to a substantial proportion of consumers, and (2) generally, when, in the course of an account review, the creditor increases a consumer's annual percentage rate based on a deteriorated credit report. See 12 C.F.R. pt. 222, 16 C.F.R. pt. 640.
The rules indicate what types of information such notices must contain. Among other things, risk-based pricing notices must contain statements that the terms offered have been set based on information from a consumer report, that the terms offered may be less favorable than the terms offered to consumers with better credit histories, and that the consumer is encouraged to verify the accuracy of the information contained in the credit report. A safe harbor is available to creditors who use model forms provided in the rules. As an alternative to providing risk-based pricing notices, creditors may provide consumers who apply for credit with a free credit score and information about their score. In addition, certain other exceptions to the notice requirements apply.
If you have questions about compliance requirements for the FTC's Red Flags Rule, use of model privacy notices or compliance with GLBA privacy rules, or proper implementation of the FACT Act risk-based pricing rule, please do not hesitate to contact us.
1See, e.g., September 2, 2008 Red Flags Rule Alert; October 24, 2008 Red Flags Rule Alert; November 5, 2009 Red Flags Rule Alert.
2 The Federal Trade Commission, Board of Governors of the Federal Reserve System, Commodity Futures Trading Commission, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision, and Securities and Exchange Commission have adopted the model privacy notice form.