An Overview of FTC’s Red Flags Rule (Identity Theft)

The digital landscape has brought numerous benefits in a world that is increasingly becoming more interconnected. However, it has paved the way for new challenges, particularly identity theft. In response to such increasing threats, the Federal Trade Commission (FTC) introduced the Red Flags Rule—an essential safeguard designed to curb the rising tide of identity theft. Effective 1 November 2009, the rule requires certain entities to establish programs that facilitate detecting, preventing, and mitigating identity theft.

In this blog, we delve into the intricacies of the FTC's Red Flags Rule, exploring whom it applies to, what covered accounts are, the obligations for covered entities and their significance, and how organizations can adopt proactive compliance measures. By understanding FTC's Red Flags Rule, individuals and organizations can fortify their defenses against identity theft and contribute to a safer digital ecosystem.

What is the Red Flags Rule?

The Red Flags Rule is a regulatory framework established by the FTC to combat identity theft in the United States. It requires certain financial institutions and creditors to establish and implement identity theft prevention strategies to identify, detect, and reduce "red flags" or indicators of potential identity theft inside their operations.

Under the FTC Red Flags Rule, organizations must put in place a written identity theft prevention program to assist them in identifying any relevant "red flags" that indicate identity theft in everyday business operations. The Rule also offers steps to help prevent crime and to mitigate its damage. You don't need a written program if you don’t have any covered accounts.

Who Must Comply?

The Red Flags Rule applies to financial institutions and creditors that offer or maintain covered accounts. To determine the applicability, the financial institutions and the creditors must periodically assess if they offer or maintain covered accounts. The decision is made based on whether a business' operations fall within the relevant definitions, not on the industry or sector. An organization must only implement its written program if it has covered accounts.

Let us examine what exactly ‘financial institution’, ‘creditor’, and ‘covered account’ mean for the purposes of the Red Flags Rule.

Financial Institutions

A financial institution may be a state or national bank, a mutual savings bank, a federal or state savings and loan association, a federal credit union, or a person holding a transaction account that belongs to a consumer.

Creditors

A business can be a creditor based on its conduct. To determine if a business’s conduct makes it a creditor, the following question-based steps can be helpful:

Step 1

Answer the following question:

“Does the business or organization regularly:

• Defer payment for goods and services?
• Grant or arrange credit?
• Participate in the decision to renew, extend, or set credit terms?”

If the answer is “NO” to all questions, the Rule does not apply. However, if the answer to one or more questions is “YES,” proceed to Step 2.

Step 2

Answer the following question:

“Does the business or organization regularly:

• Request, get, and use consumer reports regarding a credit transaction?
• Turn in information to credit reporting agencies regarding a credit transaction?
• Provide funds to someone who must repay them, whether with funds or pledged property as collateral?

The Rule is not applicable if the answer is “NO” to all the questions; however, the business is considered a creditor under the Rule if the answer is “YES” to one or more of the above questions.

What are Covered Accounts?

Once a business or organization has determined that it is a financial institution or a creditor covered by the Rule, it must determine if it has any “covered accounts.” The business or organization should look at existing as well as new accounts.

Following are the two types of accounts that are covered accounts for the purposes of the Red Flags Rule:

1. An account that a financial institution or creditor offers or maintains, mainly for personal, family, or household purposes, that involves or allows multiple payments or transactions. Examples are credit card accounts, mortgage loans, automobile loans, checking accounts, and savings accounts.
2. Any other account that a financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.

In determining if accounts are covered under the second category, the businesses should consider how the accounts are opened and accessed. The risk analysis must consider any actual incidents of identity theft involving accounts like these.

Periodic Identification of Covered Accounts

Each financial institution or creditor must reassess whether it provides or maintains covered accounts periodically. A financial institution or creditor must conduct a risk assessment to determine whether it provides or maintains covered accounts, taking into account:

• The methods it provides to open its accounts;
• The methods it provides to access its accounts; and
• Its previous experiences with identity theft.

Identity Theft Prevention Program

The financial institutions and the creditors that offer or maintain covered accounts must establish and implement a written Identity Theft Prevention Program (ITPP) that must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities and must be able to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The program must consist of policies and procedures to identify and detect the red flags and respond appropriately to prevent and mitigate identity theft.

What are Red Flags?

Red Flag means a pattern, practice, or specific activity that indicates the possible existence of identity theft. Appendix A to the Red Flags Rule provides the following five categories of red flags that financial institutions and creditors should consider including in their programs:

1. Warnings, alerts, alarms, or notifications from a consumer reporting agency.
2. Suspicious documents.
3. Unusual use of, or suspicious activity related to, a covered account.
4. Suspicious personally identifying information, such as a suspicious inconsistency with a last name or address.
5. Notifications from customers, law enforcement authorities, other businesses, and victims of identity theft regarding possible identity theft in relation to specified accounts.

Supplement A to Appendix A also provides illustrative examples for the above red flag categories.

Obligations for Organizations

Identify Red Flags

Risk Factors

Different types of accounts pose different kinds of risks. For example, red flags for deposit accounts may differ from red flags for credit accounts, and those for consumer accounts may differ from those for business accounts. Therefore, while identifying key red flags, financial institutions or creditors should consider the types of covered accounts they offer or maintain, how they open covered accounts, how they provide access to those covered accounts, and what they know about identity theft in their businesses.

Sources of Red Flags

Technology and criminal techniques change constantly, so keeping up-to-date on new threats is important. Financial institutions and creditors should incorporate relevant Red Flags from sources such as:

• Identity theft incidents that the financial institution or creditor has encountered;
• Identity theft methods that the financial institution or creditor has identified and that take into account adjustments in the risks of identity theft; and
• Applicable supervisory guidance.

Detect Red Flags

The policies and procedures of an ITPP should address the detection of red flags in connection with the opening of new covered accounts as well as the existing ones. For example, red flags can be detected by:

1. Obtaining identifying information about, and verifying the identity of a person opening a new covered account; or
2. Using reasonable procedures to authenticate customers, monitor transactions, and verify the validity of change of address requests in the case of existing covered accounts.

Prevent and Mitigate ID Theft

Once a financial institution or a creditor has detected the red flags, its ITPP must be able to provide appropriate responses that are commensurate with the degree of risk posed. The appropriate responses must also consider the aggravating circumstances that may heighten identity theft risk. Following are some examples of appropriate responses:

• monitoring a covered account for evidence of identity theft,
• contacting the customer,
• changing passwords, security codes, or other ways to access a covered account,
• closing an existing covered account,
• reopening a covered account with a new account number,
• not opening a new covered account,
• not trying to collect on a covered account or not selling an account to a debt collector,
• notifying law enforcement,
• determining that no response is warranted under the particular circumstances.

Update the Program

To ensure safety from identity theft, the financial institutions and the creditors must periodically update their ITPP. The following factors must be considered while updating the ITPP:

1. The experiences of the financial institution or creditor with identity theft;
2. Changes in:
   1. methods of identity theft;
   2. methods to detect, prevent, and mitigate identity theft;
   3. the types of accounts that the financial institution or creditor offers or maintains; and
   4. the business arrangements of the financial institution or creditor, including mergers, acquisitions, alliances, joint ventures, and service provider arrangements.

Administration of the Program

a. Board Approval on the Initial Written ITPP

The Board of Directors (Board), an appropriate committee of the Board, or someone in the senior management must approve the initial written ITPP. The Board may oversee, develop, implement, and administer the ITPP or designate a senior employee to do the job. Responsibilities include assigning specific responsibility for the program’s implementation, reviewing staff reports about compliance with the Rule, and approving important changes to your ITPP.

b. Check your Service Providers

In administering your program, monitor the activities of your service providers. If they’re conducting activities covered by the Rule — for example, opening or managing accounts, billing customers, providing customer service, or collecting debts — they must apply the same standards you would if you were performing the tasks yourself.

c. Corporate Governance and Audit

The person responsible for your ITPP should report at least annually to your Board or a designated senior manager. The report should evaluate how effective your ITPP has been in addressing the risk of identity theft, how you’re monitoring the practices of your service providers, significant incidents of identity theft and your response, and recommendations for major changes to the ITPP.

How Can Organizations Comply with FTC’s Red Flags Rule?

Complying with the FTC's Red Flags Rule involves implementing an efficient ITPP that is suited to the organization's size, nature of business, and possible risks. The general actions businesses can take to ensure compliance are:

Identify Covered Accounts

Identify the accounts that the rule considers to be "covered accounts." These accounts are subject to identity theft and have numerous payments or transactions.

Designate a Program Officer

Establish an individual or group in charge of managing the development, implementation, and maintenance of the ITPP.

Conduct Risk Assessments

Conduct risk assessments to evaluate the organization's operations to identify potential red flags or indicators of identity theft. Consider elements like the kinds of accounts provided, the ways to access accounts, and prior instances of identity theft.

Develop Written Policies and Procedures

Specify how the organization will identify and respond to red flags through documented policies and procedures. This includes specifics on the red flags that will be monitored and remediation actions when they are discovered.

Train Employees

Train employees on identifying and detecting red flags and the proper response procedures. Determine the employees' knowledge of the organization's identity theft prevention program and responsibilities.

Incident Response Plan

Create a detailed plan for handling any discovered red flags. Describe what to do after identifying a red flag, including confirming the account holder's identity and, if necessary, alerting the relevant law enforcement or regulatory bodies.

Continuous Monitoring

Monitor for any potential red flags in your accounts and transactions. Review and frequently update the identity theft prevention program to account for new risks and conditions.

Third-Party Oversight

Establish procedures for monitoring and ensuring third-party service providers' compliance with the Red Flags Rule if the organization uses them to manage covered accounts or activities.

Ensuring compliance with FTC’s Red Flags Rule is essential for business continuity and avoiding noncompliance penalties. The penalty for non-compliance with the Red Flags Rule is $3,500 maximum in civil fines per violation and up to $2,500 per infraction.