The Federal Trade Commission Red Flags Rule

Posted by Rebecca Brommel in September 2009 on 9/1/2009

Download a PDF of this Article


The “Red Flags Rule” requires many businesses and organizations to implement a written Identity Theft Prevention Program. Although the Rule has been in effect since January 1, 2008, the enforcement date of such Rule has been delayed until November 1, 2009. The Red Flags Rule is an effort to combat identity theft and provide guidelines for the detection, prevention and response to identity theft.  In order to be compliant with these regulations, you must determine whether you are subject to such regulations and if so, implement an appropriate written Identity Theft Prevention Program. 

What are “Red Flags”? 

Red Flags are the potential patterns, practices, or specific activities indicating the possibility of identity theft. 

Am I subject to the Red Flags Rule? 

If you are a financial institution or a creditor that offers or maintains one or more covered accounts, you are subject to the Red Flags Rule.   

A “financial institution” is any state or national bank, state or federal savings and loan association, mutual savings bank, state or federal credit union or any other person that, directly or indirectly, holds a transaction account belonging to a consumer. 

A “creditor” is any person or entity who regularly extends, renews or continues credit. This definition is fairly broad and includes any business that regularly defers payment for goods or services and/or a business that provides goods or services and then bills customers at a later time. Under this definition, law firms, healthcare providers, utility companies, telecommunications companies and a variety of other businesses are considered creditors. Additionally, finance companies, mortgage brokers, real estate agents, automobile dealers and retailers that offer financing or help consumers get financing from others (for example, by processing credit applications) are considered creditors. 

The term “covered accounts” includes two categories:  (1) consumer accounts offered to customers that are primarily for personal, family or household purposes that involve or are designed to permit multiple payments or transactions (ie: credit cards, mortgages, auto loans, cell phone accounts, utility accounts, checking and savings accounts); or (2) any account that a financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks (ie: small business accounts, sole proprietorship accounts, single transaction accounts that are vulnerable to identity theft). 

How do I comply with the Red Flags Rule? 

Once you have determined that you are subject to the Red Flags Rule, you must implement an Identity Theft Prevention Program. The Program must be designed to prevent, detect and mitigate identity theft in connection with the opening of new accounts and the operation of existing accounts. Each Program must be tailored to the size, complexity and nature of your business and its activities. If your business has a high risk of identity theft or if you have a variety of different covered accounts, your Program will likely be more complex. If you already have a fraud and identity theft program, you may be able to simply update this policy to comply with the Red Flags Rule. 

The Federal Trade Commission (FTC) has set forth four requirements for a Program: 

1.   Identify relevant red flags. 

  • Consider the types of accounts you offer or maintain.
  • How are these accounts opened?
  • How do you provide access to the accounts?
  • Have you had identity theft issues in the past?  What did you learn from these events?
  • What is the experience of others in your industry with identity theft?
  • Do any of these potential red flag areas exist in your business?
    • Alerts, notifications and warnings from credit reporting company.
    • Suspicious documents (ie: appearance of alteration or forgery,   presented information does not match with records).
    • Suspicious personal identifying information (ie: inconsistencies in addresses; social security numbers listed on SSA Death -Master File or that have not been issued; telephone numbers and addresses used by multiple people; inability to provide authenticating information).
    • Suspicious account activity (ie: new account is used for cash advances or purchases of jewelry, electronics, etc.; account is used in way that is inconsistent with established patterns; account that is inactive for long time becomes active again; undeliverable or returned mail).
    • Notices from other sources (ie: victim, customer, law enforcement).

2.   Detect red flags. 

  • Consider different procedures for whether identity verification is taking place in person or via telephone, mail, internet or wireless system.
  • Establish reasonable procedures for opening new accounts, such as reviewing an identification card, checking the information with other sources (ie: credit reporting company, Social Security Administration or other publicly available information), and asking challenge questions with information you receive from other sources.
  • For existing accounts, consider procedures to authenticate customers, monitor activity and verify change of address requests.  For on-line authentication, you may want to consider the Federal Financial Institution Examination Council’s guidance, which explores the use of multi-factor authentication such as passwords and PIN numbers.
  • If you are using some of these tools already, they can be incorporated into the Program.

3.   Prevent and mitigate identity theft. 

  • Determine what your response will be once a red flag is spotted.
  • Your response should depend upon the degree of risk and whether any aggravating factors exist.
  • Consider other legal obligations (ie: HIPAA, utility termination requirements) when preparing your response.
  • Examples of appropriate responses include the following:
    • Monitor the account for evidence of identity theft.
    • Contact the customer.
    • Change passwords or other ways to access the account.
    • Close the existing account.
    • Reopen an account with a new number.
    • Not initiating collections or sale to a debt collector of that particular account.
    • Notify law enforcement.
    • Determine that no response is warranted under the specific circumstances.

4.   Update your Program.     

  • Because of technology changes, periodic updates are required.
  • Determine how often you need to review and update your Program based upon past experience.  You should consider reviewing the Program when there are changes to the process for opening or offering accounts or when there are changes to the business (ie: mergers, joint ventures, arrangements with service providers).

In addition to these four requirements, you must establish the administration of your Program. The initial written Program must be approved by the board of directors or an appropriate board committee. If you do not have a board, it should be approved by someone in senior management. 

Once approved, either the board or a designated senior employee should oversee, develop, implement and administer the Program. The person(s) who are tasked with the administration should implement the program, which includes training staff, reviewing staff reports regarding compliance and approving changes to the Program. The person(s) should also monitor the activities of any service providers to determine if they are conducting activities covered by the rules. If so, you should review their Program, give them a copy of your Program and require periodic reports from them regarding identity theft issues. 

The person in charge of the Program should report at least annually to the board or a designated senior manager regarding the effectiveness of the Program. These reports should also include information regarding the monitoring of service providers, significant incidents of identity theft and recommendations for changes. 

Many industry and association groups have sample Programs available. While these are a great starting point, you should review the sample Programs with your business in mind and revise them accordingly. 

What happens if I fail to comply with the Red Flags Rule? 

If you fail to implement and administer a Program before November 1, 2009, you may be penalized $2,500 per violation of the Red Flags Rule. The FTC also has the authority to enter agreements with entities subject to the Rule that would require ongoing reporting and monitoring of your Program. 

Thus, it is very important to implement and administer a Program as soon as possible. If you would like assistance in putting together a Program or if you would like additional information, please contact Rebecca A. Brommel or your BrownWinick attorney. 

Rebecca A. Brommel is a member of BrownWinick and practices primarily in the litigation area. Becki serves clients in all types of litigation and administrative proceedings. Becki can be reached at (515) 242-2452 or brommel@brownwinick.com. 

Resource:  Federal Trade Commission, Fighting Fraud with the Red Flags Rule: A How-To Guide for Businesses (March 2009).