top of page

Everything You Need to Know About Red Flag Requirements

Each year, more than 9 million Americans are the victim of identity theft. Often times, there are red flags—that is, potential patterns, practices or activities indicating the possibility of identity theft—before it actually happens.

The Federal Trade Commission’s (FTC) Red Flags Rule requires affected businesses to take an active role in recognizing and stopping identity theft. Specifically, it is accomplished through a mandatory, written identity theft prevention program coupled with employee training. The Rule is enforced by the FTC, the federal bank regulatory agencies and the National Credit Union Administration, and failure to comply can bring a fine of up to $2,500 per instance for willful and knowing violations.

Businesses Required to Comply

The Red Flags Rule applies only to financial institutions and creditors who have or work with covered accounts. The FTC defines the scope of these terms specifically as outlined below.

A financial institution, according to the FTC, is any business holding a transaction account that belongs to a consumer or any institution that offers accounts where the consumer can make payments or transfers to third parties. Examples include the following:

  • State/national banks

  • State/federal savings and loan associations

  • Mutual savings banks

  • State/federal credit unions

  • State-chartered credit unions

  • Mutual funds that offer accounts with check writing privileges

The FTC’s definition of a creditor is any business or organization that regularly provides goods or services and then either defers payment or bills customers later. Also included in this group is anyone who regularly grants loans, arranges for loans, arranges for extension of credit, sets the terms of credit or makes credit decisions.

Covered accounts are those offered to customers for personal, family or household purposes that are designed to permit multiple payments or transactions. Accounts that have a “reasonably foreseeable” risk of identity theft are also considered covered accounts under the Rule even if they are not for personal use. Analyzing how these accounts are accessed, how many people they can be accessed by and the accounts’ past identity theft history will determine whether owners of these accounts must be compliant with the Rule.

How to Comply

If you have determined according to the FTC’s financial institution criteria that you must comply with the Red Flags Rule, then you are required to develop and implement a written identity theft prevention program. For small businesses that must comply but are at low risk, the FTC supplies an online program to aid in program development.

According to the FTC, this new rule allows financial institutions the flexibility to tailor their programs based on their unique risks, and compliance will be based on how reasonably each business assesses these risks. Therefore, the FTC’s only direction is that your program must be appropriate to your organization’s size, complexity and the nature of its activities. High-risk companies for identity theft should implement more comprehensive programs. Here are some important steps to include in your program:

  1. Recognize identity theft red flags and ensure through proper training that your staff is able to spot them as well. Also identify the sources of these red flags; for example, alerts from a credit reporting company, suspicious documents or personal identification information and suspicious account activity.

  2. Detect red flags in your day-to-day activity. You could do this by establishing a written procedure for verifying or authenticating both new and existing accounts.

  3. Prevent identity theft before it happens by taking extra precautions such as changing passwords or security codes periodically, monitoring accounts, contacting the customer regularly and reopening old accounts with new account numbers.

  4. Ensure that you will re-evaluate the program at least annually and update it as needed. Also include in the program how you plan to train the appropriate staff to identify, detect respond to and prevent red flags and identity theft.

Before implementing your program, it must get approval of your board of directors or a member of senior management. The FTC also requires you outline in your program who will be in charge of administering, overseeing and carrying out of the program. Visit the FTC’s website for more information, if you need further advice on building your plan or if you need help deciding whether you need to comply with the Red Flags Rule.

Contact the Insurance and Risk Management Professionals at E.B. Cohen today for additional assistance.


bottom of page