Identity Theft Prevention Program: Definitions

Question: We are a mortgage lender and have an Identity Theft Prevention Program, but we are still not sure what is considered a “covered account,” or an “account,” or a "Red Flag," or even a “customer.” What are the definitions for these terms? Answer: Required by the Federal Trade Commission (FTC) and other Federal agencies, the Identity Theft Prevention Program must be implemented by “financial institutions” and “creditors.” The foregoing two categories of subject entities have been defined very broadly, so as to reach to all residential mortgage lenders and originators. Essentially, a financial institution or creditor that offers or maintains one or more covered accounts must develop and implement a written Identity Theft Prevention Program, the purpose of which is to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. A “covered account” consists of two classes: 1. An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account; and, 2. Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks. [16 CFR § 681.1(b)(3) (2010)] An “account” is a continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes. For instance, an account would include an extension of credit, such as for the purchase of property or services involving a deferred payment. [16 CFR § 681.1(b)(1) (2010)] A “Red Flag” is a pattern, practice, or specific activity that indicates the possible existence of identity theft. [16 CFR § 681.1(b)(9) (2010)] A “customer” is a person who has a covered account with a financial institution or creditor. [16 CFR § 681.1(b)(6) (2010)] Jonathan Foxx is president and managing director of Lenders Compliance Group and Brokers Compliance Group, mortgage risk management firms devoted to providing regulatory compliance advice and counsel to the mortgage industry. He may be contacted at (516) 442-3456 or by e-mail at [email protected].