Red Flags Rule
- Not to be confused with Red Flag Act
The Red Flags Rule was created by the Federal Trade Commission (FTC), along with other government agencies such as the National Credit Union Administration (NCUA), to help prevent identity theft. The rule was passed in January 2008, and was to be in place by November 1, 2008. But due to push-backs by opposition, the FTC delayed enforcement until December 31, 2010.
In December 2010, the Red Flags Rule was clarified by the Red Flag Program Clarification Act of 2010  to exclude most doctors, lawyers, and other professionals who do not receive full payment at the time when their service is furnished.
The Red Flags Rule was based on section 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003. FACTA was put in place to help Identity Theft Prevention and Credit History Restoration, Improvements in Use of and Consumer Access to Credit Information, Enhancing the Accuracy of Consumer Report Information, Limiting the Use and Sharing of Medical Information in the Financial System, Financial Literacy and Education Improvement, Protecting Employee Misconduct Investigations, and Relation to State Laws.
There are two different groups that this rule applies to: Financial Institutions and Creditors. Financial institution is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a “transaction account” belonging to a consumer. FACTA’s definition of “creditor” applies to any entity that regularly extends or renews credit – or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services 
The definition of a creditor was clarified by the Red Flag Program Clarification Act of 2010. Under the Clarification Act, a creditor regularly and in the course of business:
- Obtains or uses consumer credit reports;
- Provides information to consumer reporting agencies; or
- Advances funds which must be repaid in the future (or against collateral).
This definition was further clarified United States Court of Appeals For the District of Columbia Circuit in its March 4, 2010 ruling on The American Bar Association vs. Federal Trade Commission. The court affirmed Senator Dodd's statement regarding the bill that "lawyers, doctors, ... and other service providers [are] no longer classified as 'creditors' for the purpose of the red flags rule just because they do not receive payment in full from their clients at the time they provide their services."
There are many different companies that this rule applies to: this list includes, but is not limited to finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies; or any other company that advances funds or routinely interacts with consumer credit agencies when performing a service and receiving payment once the work is complete.
The Red Flags Rule sets out how certain businesses and organizations must develop, implement, and administer their Identity Theft Prevention Programs. The program must include four basic elements, which together create a framework to address the threat of identity theft.
The program has four elements:
1) Identify Relevant Red Flags
- Identify likely business-specific identity theft red flags
2) Detect Red Flags
- Define procedures to detect red flags in day-to-day operations
3) Prevent and Mitigate Identity Theft
- Act to prevent and mitigate harm when red flags are identified
4) Update Program
- Maintain the red flag program, including educating operational staff
The Red Flags Rules provide all financial institutions and creditors the opportunity to design and implement a program that is appropriate to their size and complexity, as well as the nature of their operations.
The red flags fall into five categories:
- alerts, notifications, or warnings from a consumer reporting agency
- suspicious documents
- suspicious identifying information, such as a suspicious address
- unusual use of – or suspicious activity relating to – a covered account
- notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts
The FTC has a created a template for businesses that can be populated to meet an individual company's needs. The template can be found on the FTC website. This template however is appropriate only for small, very low risk businesses.
Red Flag Rule and identity theft
As the Red Flag rule widely defines creditors, many businesses (such as utilities) are required to collect personal information (such as SSN and Driver’s License Numbers) that they do not need and have no use for. This policy is precisely contrary to the FTC’s advice to consumers that they should disclose their social security number to others only when absolutely necessary. This aspect of the Red Flag rule has the unintended consequences of increasing the number of business that hold consumers' Social Security numbers thereby putting consumers at greater risk for identity theft through data theft.
- FAIR AND ACCURATE CREDIT TRANSACTIONS ACT OF 2003, Public, Law 108-159, 108th Congress, retrieved 2009-02-02
- “Identity theft” means a fraud committed or attempted using the identifying information of another person without authority. See 16 C.F.R. § 603.2(a). “Identifying information” means “any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including any – (1) Name, Social Security number, date of birth, official State or government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number; (2) Unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation; (3) Unique electronic identification number, address, or routing code; or (4) Telecommunication identifying information or access device (as defined in 18 U.S.C. 1029(e)).” See 16 C.F.R. § 603.2(b).
- "Start or Install Service".
- ftc.gov. "Deter Minimize Your Risk".