FTC “Red Flag Rule”

The U.S. Federal Trade Commission (FTC) has issued a new regulation effective November 1, 2009 that requires certain entities, regardless of industry or size, to create written policies and procedures to address the issue of identity theft. The Red Flag Rule, as this new regulation is commonly known, sets forth guidelines as to how an entity should develop, implement and administer an identity theft program.


Affected Companies and Organizations


The FTC has specified the Red Flag Rule applies to “financial institutions” and “creditors.” Although at first glance many companies may believe they are not a financial institution or creditor such that they are not covered by this regulation, they would be well advised to take a closer look at the FTC’s definitions of these terms.


The FTC defines a financial institution as “a bank, savings and loan, credit union, or other entity that holds a “transaction account” belonging to a consumer.” A “transaction account” is further defined as an account that allows the owner to make payments or transfers, including checking accounts, savings accounts that permit automatic transfers, share draft accounts and brokerage account from which holders may write checks.


An entity that does not fall within the FTC’s broad definition of a financial institution must consider whether it meets the FTC’s definition of a “creditor.” The FTC defines a creditor as “a business or organization that regularly extends, renews or continues credit; arranges for someone else to extend, renew or continue credit; or a company or organization that is the assignee of a creditor who is involved in the decision to extend, renew or continue credit.”


“Credit” is further described as an arrangement by which one may defer payment of debts or accept deferred payments for the purchase of property or services. Creditor may include finance companies, automobile dealers, mortgage brokers, utilities, telecommunications companies and in many cases, medical providers. Even a non-profit or governmental agency may meet the FTC definition of a creditor if by accepting deferred payments for goods or services. Nearly any entity that extends credit could fall under the FTC’s definition of a creditor.


An entity that determines it is a financial institution or creditor must next determine whether or not it has “covered accounts.” There are two types of covered accounts:


  • An account used mostly for personal, family or household purposes that involves multiple payments or transactions. Examples may include credit card accounts, mortgage loans, car loans, margin accounts, cell phone accounts, utility accounts and checking or savings accounts.

  • Any account that a financial institution or creditor maintains for which there is a foreseeable risk to customers or the safety and soundness of the institution or creditor. Examples include small business accounts, sole proprietor accounts or single transaction consumer accounts.

The FTC regulation provides that an entity properly classified as a financial institution or creditor does not have to maintain a program to prevent identity theft if it does not have covered accounts.


Program Creation


The FTC’s “How-To Guide for Business” specifies a four-step compliance process:


  • Identify relevant red flags – Red flags are defined by the FTC as potential patterns, practices or specific activities indicating the possibility of identity theft and may include alerts, notifications or warnings from a Consumer Reporting Agency, suspicious documents (inconsistent information, apparent alterations or forging), suspicious personal identification information and unusual or suspicious use of the covered account.

  • Detect red flags – Once an entity has identified the applicable red flags, the next step is to adopt procedures to detect them in the entity’s day-to-day operations. How does the entity use identity verification or authentication methods? What verification processes are in place regarding new accounts and what authentication and monitoring occurs in relation to existing accounts? These programs and processes must be incorporated into the overall Red Flag program.

  • Prevent and mitigate identity theft – How will an entity respond be to an identified red flag? The appropriate response to each red flag must be identified and may include contacting the customer, closing an account, notifying law enforcement and monitoring a covered account for evidence of identity theft.

  • Monitor and update the program – Existing red flags may change over time as new technologies emerge and/or identity thieves change tactics. An entity’s board of directors and/or senior management should review the policy at least annually and regularly report on any significant incidents.

Administering the Program


The FTC has mandated that a program to review identity theft must be in writing and must be formally approved by the entity’s board of directors or, if no board exists, senior management.

Another consideration is staff training. The Red Flag Rule requires that staff and service providers involved with the identify theft program be effectively trained. It is important to recognize that employees at different levels in an entity may play a key role in identity theft prevention and detection.

Currently, there are no criminal penalties for failing to comply with the Red Flag Rule, but violators may be subject to civil monetary penalties. Monetary penalties aside, it is important to comply with the new regulation in that it helps to assure customers that the entity recognizes the critical importance of safeguarding their personal information and has taken the appropriate steps to prevent and detect identity theft.


Where to Go From Here?


An entity that determines it is properly classified as a financial institution or creditor has couple of options to comply with the FTC’s new regulation:

1. Entities that have a low risk of identity theft may find they are able to use the resources located on the FTC’s website. However, the “Do-It-Yourself” solution is generally only appropriate for those entities having a very low risk related to identity theft.


2. Entities having a normal, or greater, risk of identity theft will likely need to seek the services of a third party to assist them in complying with the FTC requirements. KSM Business Technology can help identify the areas where an entity may have a higher risk of identity theft and create the necessary policies and procedures to prevent and timely detect instance of identity theft.