In 2003, President Bush signed the "Fair & Accurate Credit Transactions Act" into law.   The law was enacted to stem the tide of what was deemed "rampant identity theft".  Congress empowered the Federal Trade Commission ("FTC") to promulgate rules to effectuate the law.  The FTC spent years working on the rules, purportedly trying to balance the need to protect the public against the need to minimize the regulatory burden on businesses.  Relevant rules were eventually adopted and given a November 1, 2008 effective date.  The concerns of various groups and business leaders vis-a-vis these rules led to the enactment of the Red Flag Clarification Act.  This law clarified various aspects of this program, including what entities may be deemed a ‘creditor’.


The related federal regulations can be found at 16 C.F.R. Sec. 681.  This "Red Flag" rule applies to "Financial Institutions" and "Creditors" (defined as "Covered Entities").  The term "creditor" is defined as someone who regularly and ordinarily in the course of business (as relevant to community associations and those who manage them) advances funds on behalf of a person, based on the obligation to repay.  The term excludes those who advance funds on behalf of someone else for expenses incidental to a service provided to them by the creditor. The term also includes any other type of creditor that the FTC may determine appropriate based on a determination that such creditor offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft.  It is likely that the FTC would consider a common interest community association, and a community association management company, to be a "creditor" for the purpose of the Red Flag rule.  


A creditor must develop a written program intended to prevent or mitigate identity theft.  This program must identify the red flags related to the accounts and/or information the creditor maintains.  It must detect the red flags within the program, respond appropriately to any red flags identified and/or detected and ensure the program is updated periodically to reflect changes in risks to customers, members and to protect them from identity theft.  "Red Flags" include:  (1) alerts, notifications and credit reporting agency warnings; (2) suspicious documents; (3) suspicious personal identifying information; (4) suspicious account activity; and (5) notice from other sources (i.e., law enforcement).  Management companies and their community association clients must consider the need for a "Red Flag" privacy officer.  They must review and analyze their dishonesty, errors & omissions, directors and officers and liability policies in relation to this.  Management companies should consider how their existing boilerplate contracts protect them, if at all, and they should also ensure that their compliance with this – and their warnings/directions to boards – is documented.