The Red Flags Rules and Insurance Companies
UPDATED: February 12, 2010
Identity theft is a growing problem, and new federal regulations aim to help spot the problem before it causes major damage to both the victim and to businesses. Businesses suffer by absorbing unpaid bills run up by the thieves, and by racking up transaction costs in helping customers sort out the mess.
Insurance companies are usually not the first businesses affected by an identity theft. The first act of the thief is typically not the purchase of an insurance policy under the stolen name. However, some policies cover identity theft and insurance companies and agents may be affected down the line in other ways. Because the Red Flags Rules may apply to some insurance companies or agencies, agents should know the basics of the Rules.
What are the Red Flags Rules?
The “Red Flags Rules” (the “Rules”) are a set of regulations that requires certain businesses to adopt programs designed to prevent identity theft, and to detect it early when it does occur. The Rules are enforced by the Federal Trade Commission (the “FTC”) and is part of the Fair Credit Reporting Act.  The FTC recently extended the deadline for enforcement of the Rules until June 1, 2010. Businesses should determine if the Red Flags Rules apply to them; and, if it does, take the required actions.
Under the Rules, businesses that are “financial institutions” or “creditors” (more on what these are below) must have a written program that identifies and detects the warning signs – the “red flags” – of identity theft. The program may vary from business to business, but all programs should have the following four basic elements:
- Reasonable policies and procedures to spot the red flags common in your business. The red flags will vary depending on the type of business. For example, if a business requires a photo ID to open an account, a fake-looking ID would be a red flag
- A procedure to detect the red flags you have identified
- The actions to take when red flags are identified
- A plan to re-evaluate and evolve the program as new risks emerge
It is not enough to just have a written document. Training and monitoring requirements exist as well.
Do the Rules Apply to My Business?
Two categories of business are covered by the Rules: Financial institutions and creditors. Determining if a business is a “financial institution” is fairly straightforward:
18 U.S.C. Â§ 1681a(t).  Most of the time, whether a business is a financial institution will be fairly obvious. This definition comes up in other contexts, such as FDIC insurance, so businesses tend to know if they are financial institutions.
If the business is a financial institution or a creditor, the final step is determining whether the business has any “covered accounts.”  The first kind of covered account is a person, family or household account set up to permit multiple payments or transactions, for example, credit card accounts, mortgage loans, cell phone accounts, checking or savings accounts. The second kind of covered account is any account (personal or business) that presents a “reasonable foreseeable risk” that identity theft would be a problem.
If a business does not have any covered accounts, it does not need a Red Flags Rules program. Covered accounts are discussed in more detail below.
Is My Business a “Creditor”?
However, determining whether your business is a “creditor” can be trickier, because it has less to do with what kind of company you are (e.g., a bank), and more to do with your particular circumstances. A “creditor” is defined as any person (including a company):
14 U.S.C. Â§ 1691a(e). “Credit” here is used in the usual sense: the right to defer debt payments, or the right to incur debt and pay later. Credit card companies are obviously creditors, since they give the consumer the right to purchase now (incur a debt) and pay later. An appliance store who permits customers to pay on an installment plan is also a creditor.
Less obviously, a utility company which does not bill customers in advance for a service is a creditor. The service or product (electricity, for example) is provided during the month, but is not paid for until later. This is why utility companies and telecommunications companies are specifically listed as creditors in the Rules. 
Therefore, the bottom line is this: If an insurance agency regularly extends credit to customers, it will probably be considered a “creditor” and will have to develop a Red Flags program. The main way an insurance agency or company would come under this definition is if they allow insureds to pay for coverage at the end of a coverage period, rather than before the coverage period starts. If clients always pay up front for insurance coverage, the insurance company is not a “creditor.”
Insurance agents sometimes pay the premiums on behalf of their insureds as those premiums become due, with the expectation that the insured will pay them back later. Paying these “advances” for clients will definitely count as extending credit. Coverage begins, but the insured has not paid yet. As discussed above, any agency doing this is a creditor and will need to implement the Rules program if it has any “covered accounts.”
These “advances” will trigger the Rules if the insured is an individual or a family. This is because those accounts are “covered accounts.” Recall that any personal, family or household account (set up to permit multiple payments or transactions) is a covered account. Therefore, if an agency makes these advances for families or individuals, it will need to implement a program.
What if an insurance agency pays the premiums for a business in advance (as opposed to an individual or family)? A business account does not fall under the first kind of “covered account,” because it is not for personal or household use. A business account may fall under the second type of “covered account” if the risk of damage from identity theft is present and foreseeable.
The FTC lists small business accounts, sole proprietor accounts and single transaction consumer accounts as examples of at-risk accounts. Other at-risk accounts could be accounts easily accessed by phone or Internet. Presumably, if an insurance agency has an account for a medium sized business, the risk of identity theft is not very high. Run-of-the-mill identity thieves do not typically target business identities.
In addition, as noted above, identity thieves typically do not take out insurance in the name of their stolen identity. Therefore, most business using insurance companies will probably not be at-risk, and so their account will probably not be “covered accounts.” If those business accounts contain personal information of individuals, then they might be at-risk.
If any agency advances payments for individuals or families, that agency will be a creditor and the accounts will be “covered accounts,” and so it will have to comply with the Red Flags Rules. If any agency makes advance payments for at-risk businesses, it will also have to comply with the Red Flags Rules. However, if an agency makes advance payments solely for businesses that are not at-risk, it will not need to implement a program, because those accounts are not “covered accounts.”
To subscribe to email alerts from Axley Law Firm, click here.
 The Red Flags Rules are found at 16 C.F.R. Â§ 681. The FCRA includes the Fair and Accurate Credit Transactions Act (“FACTA”), and was enacted to protect consumers and business with regard to credit cards, credit ratings and other credit-related activities.
 A “transaction account” is a bank-like account out of which a customer can make withdrawals or payments. See 12 U.S.C. Â§ 461(b)(1)(C).
“Covered accounts” are defined in 16 C.F.R. Â§ 681.2(b)(3).
 See 16 C.F.R. Â§ 681.2(b)(5).
 Supplement I to 12 C.F.R. Part 226, Section 226.2(a)(14).