Red Flags Rule
- Not to be confused with Red Flag Act
The Red Flags Rule was created by the Federal Trade Commission (FTC), along with other government agencies such as the National Credit Union Administration (NCUA), to help prevent identity theft. The rule was passed in January 2008, and was to be in place by November 1, 2008. But due to push-backs by opposition, the FTC delayed enforcement until December 31, 2010.
In December 2010, the Red Flags Rule was clarified by the Red Flag Program Clarification Act of 2010  to exclude most doctors, lawyers, and other professionals who do not receive full payment at the time when their service is furnished.
The Red Flags Rule was based on section 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003. FACTA was put in place to help Identity Theft Prevention and Credit History Restoration, Improvements in Use of and Consumer Access to Credit Information, Enhancing the Accuracy of Consumer Report Information, Limiting the Use and Sharing of Medical Information in the Financial System, Financial Literacy and Education Improvement, Protecting Employee Misconduct Investigations, and Relation to State Laws.
There are two different groups that this rule applies to: Financial Institutions and Creditors. Financial institution is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a “transaction account” belonging to a consumer. FACTA’s definition of “creditor” applies to any entity that regularly extends or renews credit – or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services 
The definition of a creditor was clarified by the Red Flag Program Clarification Act of 2010. Under the Clarification Act, a creditor regularly and in the course of business:
- Obtains or uses consumer credit reports;
- Provides information to consumer reporting agencies; or
- Advances funds which must be repaid in the future (or against collateral).
This definition was further clarified United States Court of Appeals For the District of Columbia Circuit in its March 4, 2010 ruling on The American Bar Association vs. Federal Trade Commission. The court affirmed Senator Dodd's statement regarding the bill that "lawyers, doctors, ... and other service providers [are] no longer classified as 'creditors' for the purpose of the red flags rule just because they do not receive payment in full from their clients at the time they provide their services."
There are many different companies that this rule applies to: this list includes, but is not limited to finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies; or any other company that advances funds or routinely interacts with consumer credit agencies when performing a service and receiving payment once the work is complete.
The Red Flags Rule sets out how certain businesses and organizations must develop, implement, and administer their Identity Theft Prevention Programs. The program must include four basic elements, which together create a framework to address the threat of identity theft.
The program has four elements:
1) Identify Relevant Red Flags
- Identify likely business-specific identity theft red flags
2) Detect Red Flags
- Define procedures to detect red flags in day-to-day operations
3) Prevent and Mitigate Identity Theft
- Act to prevent and mitigate harm when red flags are identified
4) Update Program
- Maintain the red flag program, including educating operational staff
The Red Flags Rules provide all financial institutions and creditors the opportunity to design and implement a program that is appropriate to their size and complexity, as well as the nature of their operations.
The red flags fall into five categories:
- alerts, notifications, or warnings from a consumer reporting agency
- suspicious documents
- suspicious identifying information, such as a suspicious address
- unusual use of – or suspicious activity relating to – a covered account
- notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts
The FTC has a created a template for businesses that can be populated to meet an individual company's needs. The template can be found on the FTC website. This template however is appropriate only for small, very low risk businesses.
The Fair Credit Reporting Act of 1970, as amended in 2003 (FCRA), required several federal agencies to issue joint rules and guidelines regarding the detection, prevention, and mitigation of identity theft for entities that are subject to their respective enforcement authorities (also known as the “identity theft red flags rules”). Those agencies were the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Federal Reserve Board), the Federal Deposit Insurance Corporation (FDIC), the Office of Thrift Supervision (OTS), the National Credit Union Administration (NCUA), and the Federal Trade Commission (FTC) (together, the “Agencies”). In 2007, the Agencies issued joint final identity theft red flags rules.
On January 1, 2011, the FTC began enforcing its Fair and Accurate Credit Transactions Act of 2003 (FACT Act) Red Flags Rule. The Red Flags Rule requires that each "financial institution" or "creditor"—which includes most securities firms—implement a written program to detect, prevent and mitigate identity theft in connection with the opening or maintenance of "covered accounts." These include consumer accounts that permit multiple payments or transactions, such as a retail brokerage account, credit card account, margin account, checking or savings account, or any other accounts with a reasonably foreseeable risk to customers or your firm from identity theft.
On July 21, 2011, the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) transferred responsibility for rulemaking and enforcement of identity theft red flag rules and guidelines to the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) for the firms they regulate.
On April 19, 2013 the SEC and CFTC published their joint final Identity Theft Red Flags Rule and guidelines to be effective May 20, 2013, with a compliance date of November 20, 2013. The rule and guidelines do not contain requirements that were not already in the FTC Red Flags Rule and guidelines, and do not expand the scope of that rule to include new categories of entities that the rule did not already cover. They do, however, contain examples and minor language changes designed to help guide entities within the SEC's enforcement authority in complying with the rule, which may lead some entities that had not previously complied with the rule to determine that they fall within the scope of the rule that the SEC and CFTC adopted.
Red Flag Rule and identity theft
As the Red Flag rule widely defines creditors, many businesses (such as utilities) are required to collect personal information (such as SSN and Driver’s License Numbers) that are not needed for business purposes. This policy is contrary to the FTC’s advice to consumers that they should disclose their social security number to others only when absolutely necessary. This aspect of the Red Flag rule has the unintended consequences of increasing the number of business that hold consumers' Social Security numbers thereby putting consumers at greater risk for identity theft through data theft and increasing costs for businesses who are required to secure this data.
- FAIR AND ACCURATE CREDIT TRANSACTIONS ACT OF 2003, Public, Law 108-159, 108th Congress, retrieved 2009-02-02
- “Identity theft” means a fraud committed or attempted using the identifying information of another person without authority. See 16 C.F.R. § 603.2(a). “Identifying information” means “any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including any – (1) Name, Social Security number, date of birth, official State or government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number; (2) Unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation; (3) Unique electronic identification number, address, or routing code; or (4) Telecommunication identifying information or access device (as defined in 18 U.S.C. 1029(e)).” See 16 C.F.R. § 603.2(b).
- See FCRA §§ 615(e)(1)(A)–(B), 15 U.S.C. 1681m(e)(1)(A)–(B).
- See Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate Credit Transactions Act of 2003, 72 FR 63718 (Nov. 9, 2007).
- "Start or Install Service".
- ftc.gov. "Deter Minimize Your Risk".