To close this window, press the ESC key or click the close button in the top corner of this window.

What do I have to do to comply with the Red Flags Rules?

The Red Flag Rules require you to develop, implement, and maintain a written Program to detect, prevent, and mitigate loss due to identity theft. Your IDentity Theft Prevention Program must address patterns, practices, and specific forms of activity that are “red flags” signaling possible identity theft.

There are several elements and administrative requirements for developing an Identity Theft Prevention Program under the Red Flag Rules. Your Program must include policies, procedures, and employee training that meets the scope of your business. This can only be accomplished by conducting a thorough risk assessment of identity theft risks to your organization. Then an IDentity Theft Prevention Program can be drafted that meets the criteria below. DO NOT adapt someone else's program or policy as your own.

Elements of Red Flags.

There are four basic elements to Red Flags Regulations and Guidelines.

Element One: Identify Red Flags

Each financial institution or creditor that is subject to the regulation must identify patterns, practices, or specific activities that indicate the possible risk of identity theft. These items are known as “red flags.” In doing so, the organization must consider which of its accounts are subject to the risk of identity theft; the methods it provides to open its accounts; the methods it provides to access its accounts; its size, location, and customer base; and its previous experiences with identity theft. Examples are provided in section 114, subpart J, Appendix A of FACTA.

Element Two: Detect Red Flags

The regulation states that the Identity Theft Prevention Program should address the detection of Red Flags in connection with the following:

The opening of new covered accounts by obtaining identifying information and verifying the identity of the person opening the account. Using the policies and procedures set forth in the CIP rules of section 326 of the US Patriot Act.
Authenticating customers, monitoring transactions, and verifying the validity of change of address requests in existing covered accounts.

Element Three: Responding to Red Flags

The Identity Theft Prevention Program must address the risk of identity theft to the customer, and the financial institution or creditor commensurate with the degree of risk posed. The regulation provides an illustrative list of appropriate measures, which includes:

Monitoring an account for evidence of identity theft;
Contacting the customer;
Changing any passwords, security codes, or other security devices that permit access to a customer's account;
Reopening an account with a new account number;
Not opening a new account;
Closing an existing account;
Notifying law enforcement;
Implementing any requirements regarding limitations on credit extensions;
Implementing any requirements for furnishing of information to consumer reporting agencies;
Determining that no response is warranted under the circumstances.

Element Four: Updating the Program

The financial institution or creditor should periodically update its Identity Theft Prevention Program considering its own experiences with identity theft, changes in the methods of identity theft, changes in methods to detect, prevent, and mitigate identity theft, changes in accounts that it offers and maintains, and changes in its business arrangements.

Administration of the Identity Theft Prevention Program.

The regulation describes the steps that a financial institution or creditor must take to administer the Identity Theft Prevention Program including obtaining approval of the initial written program, ensuring oversight of the development, implementation, and administration, training staff, and overseeing service provider arrangements.

The Initial Program must be adopted in writing by the Board of Directors, a committee of the board, or a designated member of senior management.
The Board of Directors, a committee of the board, or a designated member of senior management must oversee, develop, implement, and administer the Identity Theft Prevention Program.
The responsible committee or person must report to the Board of Directors, at least annually, on the effectiveness of the program, significant events and response, and make recommendations for material changes.
Service providers performing activities in connection with covered accounts must have an Identity Theft Prevention Program.
Financial institutions or creditors must train staff as necessary to effectively implement the program.