The “Red Flags Rule” is a set of regulatory requirements outlined in the Fair and Accurate Credit Transactions Act (FACTA) and enforced by the Federal Trade Commission. Essentially, the rule requires businesses to protect themselves and their customers against identity theft by defining “red flags” (i.e. any suspicious account activity, informational inconsistencies, or other signals that may be indicative of identity theft), putting systems in place to detect and act on those red flags, and formally documenting that system.
The FTC doesn’t mandate any specific process or technology for catching and responding to red flags, so the size and scope of compliant policies varies from business to business. Although the flexibility granted by the Rule is useful, it can be challenging to set up and maintain a red flags program that’s attuned to your level of risk and the needs of your customers. For one, not every type of business needs to be red flag compliant. And those that do can have differing criteria on what counts as a red flag. In this post, we’ll review who the Red Flags Rule applies to and cover some examples of red flags.
What Businesses Need to Comply With the Red Flags Rule?
Under the Red Flags Rule, “financial institutions” and “creditors” are required to create a compliant identity theft prevention program that governs services for “covered accounts.”
The Rule defines a “financial institution” as any of the following:
- A state or national bank
- A state or federal savings and loan association
- A mutual savings bank
- A state or federal credit union,
- Any type of institution that directly or indirectly holds a transaction account (i.e. a deposit or account from which a consumer can make payments or transfers to third parties) belonging to a consumer.
Common examples of “creditor” businesses that need to follow the Red Flags Rule include automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Technically, a “creditor” is defined as any entity that regularly does any of the following as part of their business activities:
- Obtains or uses consumer credit reports
- Provides information to consumer reporting agencies regarding credit transactions
- Advances funds which are against collateral and/or must be repaid in the future
- Participates in the decision to grant extend, renew, or set the terms of credit
Only creditors and financial institutions that have covered accounts need to create and maintain an identity theft prevention program. The Rule defines “covered accounts” as:
- Consumer accounts designed to permit multiple payments or transactions, including but not limited to: credit card accounts, mortgage loans, automobile loans, checking accounts, and savings accounts
- Any other type of consumer account that presents a reasonably foreseeable risk from identity theft. This second definition is quite broad and can apply to nearly any type of accounts where you retain consumers’ identifying information for business purposes. Typical examples include retail brokerage accounts, credit card accounts, margin account, and checking or savings accounts.
What Kinds of Signals Should be Considered as Red Flags?
As you may have guessed from the variety of entities the Red Flag Rule applies to, some red flags may apply to certain types of businesses or consumer accounts, but not others. To help businesses be as thorough as possible in considering all of the potential patterns, practices, or specific activities that should be considered as part of your identity theft prevention program, the Rule describes five categories of red flags:
- Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services.
- The presentation of suspicious documents (for example, identification that looks altered or forged).
- The presentation of suspicious personal identifying information (such as an invalid address or phone number)
- The unusual use of, or other suspicious activity related to, a covered account (for example, a sudden change in a customer’s spending patterns or credit utilization)
- Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the financial institution or creditor.
Now that you know who needs to follow the Red Flag Rules and what your potential red flags should be, the next step is compliance. In our next post, we’ll walkthrough a basic framework for setting up a Red Flag-compliant identity theft prevention program.