Finance & Enjoyment Blog

The Red Flag Rules were developed to address identity theft issues through creditor handling of personal consumer information.  In theory, finding identity theft early in source transactions and taking proactive steps to stop the damage should lessen financial losses to organizations, and protect consumers from becoming victims.  The FACT Act, of which the Red Flags Rules are a part, is a significant piece of legislation that amended the Fair Credit Reporting Act (FCRA) and requires businesses to implement the law through a number of regulations.

According to the Federal Trade Commission, many companies are still not aware that they fall under the Red Flags Rule.  The deadline for compliance is November 1, 2009!



Highlights of FACT Red FlagsRules

Creditor coverage is broadly interpreted - generally, any business that allows consumers to pay over time is included.

Financial institutions and creditors with covered accounts must have identity theft prevention programs to identify and respond to activities that could lead to identity theft.  Federal law defines a creditor to be any entity that regularly extends, renews, or continues credit.

Some examples of creditors are:

  • Finance companies
  • Automobile dealers
  • Medical practices
  • Hospitals
  • Mortgage brokers
  • Utility companies
  • Phone companies
  • Non-profit and government entities that defer payment for goods or services
WHAT ARE Red Flags?

On the Federal Trade Commission (FTC) Web site you will find 26 examples of red flags as guidelines for detecting possible identity theft.  Basically, Red Flags are defined by the FTC as "potential patterns, practices, or specific activities indicating the possibility of identity theft." To access the extended list click here


Red Flag alerts may be reported to the FTC through notifications or other warnings received from various agencies such as:

  • Consumer reporting agencies
  • Consumers
  • Victims of identity theft
  • Law enforcement officers
  • Suspicious documents such as forgeries or a photo description that does not match a person
  • People using inconsistent or mismatched addresses
  • Social Security numbers of the deceased now active
  • Credit card statements returned as undeliverable, but transactions on account continue
how do i create a red flag program?

The company must create a written compliance plan to assign specific responsibility for implementation, train staff, audit compliance, generate annual reports, and oversee anyone granted access to covered accounts. At this time there are no federal quality standards pertaining to the handling and storage of personal and financial information.  However, the FTC does provide a step-by-step guide for creating a Red Flags Rule Program.  Go Here to view this step-by-step guide.

A program for detecting Red Flags requires:

  • Obtaining identifying information
  • Verifying the identity of, persons opening covered accounts
  • Having a process to authenticate customers
  • Monitoring their transactions
  • Verifying the validity of change-of-address requests 



The Rule creates an assenting obligation to prevent, reveal and mitigate identity theft. Affected entities and business must proactively look for red flags and take proper steps to prevent identity theft. The enforcer will be, to a sizeable extent, the plaintiffs and class action attorneys. 


Non-compliance risks are massive.  Failing to comply will result in civil fines, regulatory enforcement proceedings, plaintiff lawsuits and damage to one's reputation.  The bar has been raised.

Roughly 250 billion known records have been accessed in data breaches since January 2005.  Let's hope that the Red Flag Rules are a step toward mitigating this number.

If you have questions about whether your business is impacted by the Red Flag Rules, or need more information about establishing a compliance plan, call us at 303-815-1100. Our team is ready to assist you. 


Posted in Rules and Regulations »

0 Responses to "Identity Theft and Red Flag Rules"

Leave a Reply

Fields marked with  * are required.

Name *
Email Address *
(will not be published)