Federal Trade Commission Red Flags Rule
Congress passed the Fair and Accurate Credit Transaction Act of 2003 (FACTA) in response to the growth in identity theft crimes.44 FACTA made it harder for consumer financial information to be used to commit these crimes through changes to the FCRA.
Congress recognized that the financial industry has a role in protecting customers from identity theft. Therefore, FACTA required the federal bank regulatory agencies and the FTC to work together to create rules that would identify and respond to possible instances of identity theft. These agencies issued a joint rule, known as the Identity Theft Red Flags Rule,45 on November 9, 2007.
Purpose
The purpose of the Red Flags Rule is to fight identity theft. The rule requires covered financial institutions to be on the lookout for certain warning signs that might indicate identity theft is taking place in consumer financial transactions.
NOTE
A Red Flag is any “pattern, practice, or specific activity that indicates the possible existence of identity theft.”47
The Red Flags Rule is not a data security rule. It does not require institutions to protect data in a certain way. Instead, it requires them to be flexible and responsive to different business situations where identity theft could be possible.46
Scope
The Red Flags Rule applies to financial institutions and creditors that have covered accounts. Financial institutions are state and federal banks, credit unions, and savings and loan associations that are regulated by the Fed, FDIC, OCC, and NCUA.
Under the Red Flags Rule, a creditor is any person or organization that regularly extends, renews, or continues customer credit; and who also:
- Receives or uses consumer reports in connection with a credit transaction
- Gives information to consumer reporting agencies in connection with a credit transaction
- Loans a person money48
The definition of covered account is also broad. There are two types of covered accounts. The first type is an account that is used “primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions.”49 Examples of this type of account include:
- Credit card accounts
- Car loan accounts
- Utility accounts
- Cell phone carrier accounts
The second type of covered account is an account for which identity theft is a reasonably foreseeable risk because of the use of the account. The risk includes harm to a customer. It also could be harmful to the soundness of the financial institution or creditor. These types of accounts are considered covered accounts if the potential for identity theft is “reasonably foreseeable.”
NOTE
Payment in arrears refers to payments that are made after a business provides goods or services. Many businesses bill in arrears. They include utility companies, medical providers, and cell phone service providers.
Organizations fall within the scope of the Red Flags Rule because of their actions. They may not rely on just the definitions of “financial institution,” “creditor,” or “covered account” to determine if they must comply with the Rule. Organizations must comply with the Red Flags Rule if they act similar to financial institutions or creditors and use accounts that resemble covered accounts.
FYI
The Red Flag Program Clarification Act of 2010 tightened the definition of creditor and exempted service providers such as doctors and healthcare professionals, lawyers, and accountants from the application of the Red Flags Rule.50 Associations that represented these professions filed numerous lawsuits to stop the FTC from enforcing the Red Flags Rule against these professions. They claimed that Congress did not intend that service providers who were paid in arrears be considered creditors under the Red Flags Rule. Congress agreed with those arguments when it passed the Red Flags Clarification Act.
Main Requirements
Under the Red Flags Rule, covered entities must develop a written Identity Theft Prevention Program. This program must detect, prevent, and mitigate identity theft in covered accounts. The written program must address both new and existing covered accounts.
Organizations can take the size and complexity of their operations into account when preparing their program. Larger companies that handle more accounts may need a more detailed plan, whereas smaller companies with fewer accounts may not need a very detailed plan. The written program must be appropriate for the organization.
An organization’s board of directors must approve the program. If an organization does not have a board of directors, then a senior official must approve the program. The Rule requires organizations to train their employees about their written programs. Organizations also must review their relationships with third-party service providers. Organizations must make sure that those activities do not raise any Red Flags.
A written program must have the following components:
- Identify Red Flags that apply to the organization.
- Determine how the Red Flags will be detected during business processes.
- Determine how to respond to Red Flags that are detected.
- Review the written program periodically.
The agencies that worked together to create the Red Flags Rule realized that it may be difficult for organizations to determine activities that might raise a Red Flag. They created five different Red Flag categories:
- Alerts or notifications received from consumer reporting agencies or service providers
- Suspicious documents
- Suspicious personal identifying information
- Unusual or suspicious activity of a covered account
- Notice from customers, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts
The agencies also provided 26 examples of activity that might be considered a Red Flag.51 The categories of Red Flags and some of the examples that fall in each category are provided in TABLE 4-2.
TABLE 4-2 Red Flag Categories and Examples
| RED FLAG CATEGORY | RED FLAG EXAMPLES |
|---|---|
Alerts, Notifications, and Warnings From a Credit Reporting Company |
A fraud alert placed on a consumer report A credit freeze placed on a consumer report A consumer report indicating a pattern of activity that does not match the customer’s historical activity |
Suspicious Documents |
Identification documents that look altered or forged A signature on a document does not match the signature in the customer’s file A photograph on an identification document that does not resemble the person presenting the identification document |
Suspicious Personal Identifying Information |
Personal information provided that does not match external information sources, for example, an address that does not match the customer’s consumer report Incomplete personal information provided when opening an account Personal information provided that does not match the information in the customer’s file |
Unusual or Suspicious Activity on a Covered Account |
A covered account used in a manner that does not match the customer’s historical activity An unpaid account with no history of nonpayment on that account Frequent new use of a covered account that was unused for a long period |
Notice From Customers or Others About Identity Theft |
Customer notification to the covered organization about suspected identity theft Law enforcement notification to the financial institution or creditor about fraudulent activity |
Once an organization identifies an action that might raise a Red Flag, it must take steps to detect that activity in its normal business practices. For example, an organization decides that forged or altered documents are a potential Red Flag. It must then detect when documents are forged or altered. Other ways to detect Red Flags could include asking customers to provide additional identification.
The proper response to a Red Flag depends on the situation. An organization could contact the customer or monitor accounts as a potential response. An organization also can investigate a potential Red Flag and determine that a response is not needed, depending upon the circumstances.
Oversight
Each agency that worked together to create the Red Flags Rule enforces it within their authority. The Federal Reserve System, FDIC, OCC, and NCUA regulate most financial institutions. Because financial institutions are highly regulated, it makes sense for Red Flags Rule enforcement to stem from one of these regulatory agencies. Note that in 2010, the Dodd-Frank Act transferred rulemaking and enforcement of the Red Flags Rule to the SEC for the institutions that it regulates. The FTC enforces the rule for all other organizations.
Federal civil fines are possible for violations of the Red Flags Rule. Only the government can impose sanctions for violating the Red Flags Rule. The Red Flags Rule does not permit a private right of action. This means that individuals cannot sue financial institutions or creditors if they violate the Red Flags Rule.