Red Flag Compliance

The federal identity theft prevention and Red Flag compliance became mandatory on November 1, 2008; ten months after the final Red Flags Rule became effective on January 1, 2008. The Federal Trade Commission (FTC) has formally started enforcing Red Flags Rule compliance on January 1, 2011 after multiple delays while awaiting further clarification regarding the scope of the Red Flags Rule (Rule). The "Red Flag Program Clarification Act of 2010" was approved by the House, the Senate and the President to amend the Fair Credit Reporting Act’s Red Flags Rule to clarify which entities are required to implement an Identity Theft Prevention Program for Red flag compliance.

The Red Flags Rule requires "creditors" and "financial institutions" that have "covered accounts" to develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities that indicate possible identity theft.

Red Flags Rule History

On October 31, 2007, a joint committee of the OCC, Federal Reserve Board, FDIC, OTS, National Credit Union Administration (NCUA) and the Federal Trade Commission passed the final legislation for Section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACTA), also known as the Identity Theft Red Flags and Notices of Address Discrepancy or "Red Flags Rule." The main requirement for the red flag compliance is that all covered organizations must develop and implement a formal, written and revisable "Identity Theft Prevention Program" (Program) to detect, prevent and mitigate identity theft.

Covered Entities

The Red Flags Rule compliance applies to "financial institutions" and "creditors" with "covered accounts."

Under the Rule, a financial institution is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a "transaction account" belonging to a consumer.

A creditor is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. Creditors include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Where non-profit and government entities defer payment for goods or services, they also become creditors.

Covered Accounts

A covered account under Red Flag compliance is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. A covered account is also an account for which there is a foreseeable risk of identity theft such as small business or sole proprietorship accounts.

A transaction account is a deposit or other account from which the owner makes payments or transfers. Transaction accounts include checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.

Red Flag Program Clarification Act of 2010

The Red Flag Program Clarification Act of 2010 excludes certain entities from the covered entities under the Red Flags rules.

This Clarification Act includes the following language regarding the definition of a creditor as one that regularly and in the ordinary course of business:

• Obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction
• Furnishes information to consumer reporting agencies in connection with a credit transaction
• Advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person Creditors do not include those that advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.

Red Flag Compliance Enforcement

Most financial institutions are regulated by the Federal bank regulatory agencies and the NCUA. Financial institutions under the FTC’s jurisdiction include state chartered credit unions and certain other entities that hold consumer transaction accounts.

Most creditors, except for those regulated by the Federal bank regulatory agencies and the NCUA, come under the jurisdiction of the FTC.

The Identity Theft Program

Covered entities under Red Flag compliance must adopt a plan to detect, prevent and mitigate identity theft. The plan must be approved by the company’s Board of Directors (BOD), a committee of the BOD or senior management. The Red Flags Rule identifies certain signals of actual or attempted identity theft, but each company is left to establish plans based upon a risk assessment of its own operations. Signals identified by the agencies as warranting increased alert include:

• Consumer's notation on a credit report such as a fraud alert, active duty alert, or credit freeze.
• Unusual patterns in the consumer's use of credit, such as a recent increase in inquiries or new credit accounts, changes in the use of credit, or accounts closed.
• Suspicious documents that appear to be altered, forged or reassembled.
• Documents which include inconsistent information with the person applying for credit.
• Suspicious Social Security Number (SSN) such as when a used SSN has not been issued or is listed on the Social Security Administration's Death Master File.
• A used SSN does not fall within the date of birth range or is the same SSN as provided by other persons opening an account. • Suspicious address or phone number as follows: (a) the address or phone number is known to have been furnished on fraudulent applications; (b) the address either does not exist or is that of a mail drop or prison; (c) the phone number is invalid or associated with a pager or answering service; or (d) the address or phone number is the same or similar to information submitted by other persons opening accounts.
• Use of an account that has been inactive for a "reasonably lengthy period of time."
• Mail sent to the account holder is returned while transactions continue.
• Notice from the account holder or law enforcement that identity theft has occurred.

Red Flag Compliance Requirements

Under the Red Flag compliance program, financial institutions and creditors must develop a written Identity Theft Prevention Program that identifies and detects the relevant warning signs – or “red flags” – of identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. The program must be managed by the Board of Directors or senior employees of the financial institution or creditor, include appropriate staff training, and provide for oversight of any service providers.

Red Flag Compliance Program Components

The final regulation lists four basic elements that must be addressed by the Red Flags Rule compliance Program of a financial institution or creditor. The Red Flag compliance program must contain reasonable policies and procedures to:

• Identify relevant Red Flags for covered accounts and incorporate those Red Flags into the Program;

• Detect Red Flags that have been incorporated into the Program;

• Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and

• Ensure the Program is updated periodically to reflect changes in risks to customers or to the safety and soundness of the financial institution or creditor from identity theft.

The regulation also indicates certain steps that financial institutions and creditors must take to administer the Program. These steps include obtaining approval of the initial written Program by the company’s Board of Directors, a committee of the Board, or senior management members ensuring oversight of the administration and management of the Program, training staff, and overseeing service provider arrangements.

Red Flags Categories

Red Flag compliance requires the identification of identity theft warning by covered entities in order to better manage identity theft risks. Federal guidelines identify 26 possible red flags although each covered entity must perform its own risk assessment to identify all red flags for its organization. These red flags fall into five categories:

• alerts, notifications, or warnings from a consumer reporting agency;

• suspicious documents;

• suspicious personally identifying information such as a address;

• unusual or suspicious activity relating to a covered account; and

• notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts.


Although there are no criminal penalties for failing to comply with the Red Flags Rule, financial institutions or creditors that violate the Rule may be subject to civil monetary penalties.

Visit Identity Management Institute for information about Red Flag compliance, training and certification.

Identity Theft Courses