Q: What is a “covered account?”
A: The term “account” is defined in the Red Flags Rules as “a continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household, or business purposes.” The definition of “covered account” is divided into two parts. The first part refers to “an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions.” An account that meets this part of the definition is always a covered account.
The second part of the definition refers to “any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.” Therefore, an account that does not meet the first part of the definition may still be a “covered account” if it poses a reasonably foreseeable risk to consumers or to the financial institution or creditor from identity theft. Due to the risk-based nature of this part of the definition, each financial institution or creditor must determine which of its accounts, if any, meet this definition and, therefore, must be covered by its Identity Theft Prevention Program. This determination should be based upon a risk evaluation that includes consideration of the methods the institution or creditor provides to open its accounts, the methods it provides to access such accounts, and its previous experience with identity theft.