UPDATE: Red Flags Rule Enforcement Deadline Extended to December 31, 2010


Federal Trade Commission Issues Red Flags Rule
June 2008

On November 1, 2009, the Federal Trade Commission will begin to enforce rules requiring certain businesses to develop and implement an identity theft prevention program. The regulations, commonly known as the Red Flags Rule (the Rule), apply very broadly to both non-profit and for-profit organizations.

A red flag is a pattern, practice, or specific activity that indicates the possible existence of identity theft. The Rule requires financial institutions and creditors that maintain covered accounts to develop and implement a written identity theft prevention program (a Program) designed to identify potential red flags and spell out appropriate actions to be taken once these red flags are discovered.

A creditor is defined as any entity that regularly extends, renews or continues credit. It includes any entity that allows for deferred payments of goods or services, or provides goods or services first and bills for them at a later time. The definition of creditor also includes organizations that regularly grant loans, arrange for loans or the extension of credit or make credit decisions.

A covered account is either an account used for personal, family, or household purposes that involves multiple payments or transactions or an account for which there is a foreseeable risk of identity theft. A covered account would include an account through which a consumer pays for services monthly after the services have been provided.

Since the definitions of creditor and covered account are so broad, organizations such as schools, which regularly provide services and allow for payments in installments over time, will be subject to the Rule, even though the risk of identity theft associated with their accounts is relatively low.

An organization’s written Program must include policies and procedures to identify which red flags are relevant to the entity’s covered accounts; detect red flags when they arise; respond appropriately to red flags that are detected; and ensure that the Program is updated periodically to reflect changes in identity theft risk.

Common categories of red flags include: alerts, notifications, or other warnings from consumer reporting agencies or service providers; presentation of suspicious documents; presentation of suspicious personal identifying information, such as suspicious address changes; suspicious or unusual activity related to a covered account; and notice from customers, victims of identity theft, law enforcement authorities or other persons regarding possible identity theft in connection with covered accounts.

When developing a Program, organizations should assess the risk posed by the red flags. They should develop methods to verify the identity of individuals opening covered accounts, including requiring individuals to present photo identification or verification of place of residence (e.g., using utility or other bills). For existing accounts, organizations should authenticate an individual's identity (e.g., through a password or PIN), monitor transactions, and verify the validity of change of address requests. In addition to these steps, appropriate responses to red flags include the following:

• Monitoring the account for evidence of identity theft;


• Contacting the consumer;


• Changing passwords, security codes, or other ways to access the account;


• Reopening an account with a new account number;


• Not opening or closing an account;


• Not attempting to collect on an account or not selling an account to a debt collector; or


• Notifying law enforcement.