Under the Red Flags Rule (the "Rule"), part of the Fair and Accurate Credit Transactions Act that came into effect on January 1, 2008, certain businesses such as financial institutions and creditors are required to develop a set of rules to detect, prevent, and mitigate identity theft. On December 18, 2010, a change in law amended the definition of "creditor" under the Rule and limited the circumstances under which creditors are covered as well as expanded the definition of "financial institution."

Amendment Provisions

A "creditor" is now defined as one whom regularly, and in the ordinary course of business, meets one of three general criteria:

  1. Obtains or uses consumer reports in connection with a credit transaction;
  2. Furnishes information to consumer reporting agencies in connection with a credit transaction; or
  3. Advances funds to, or on behalf of, someone, except to fund expenses incidental to a service provided by the creditor to that person.

Certain nonprofit organizations can be considered creditors for purposes of the Rule if they accepted deferred payment for goods or services. Two examples are nonprofit organizations in the health care industry who accept payment plans for health care provided and colleges and universities that have tuition payment plans.

In addition, a "financial institution," which was previously defined as a bank, savings and loan, credit union, or other entity that holds a "transaction account" belonging to a consumer that allowed the consumer owner to make payments or transfers, now includes banks, savings and loans and credit institutions regardless of whether or not they hold a transaction account belonging to a consumer.

Creating a Program

The Rule provides the entity the flexibility to implement a program that best suits the entity as long as it meets the Rule's requirements. There are four basic steps to design a written program:

  1. Identify relevant red flags.
  2. Detect red flags.
  3. Prevent and mitigate identity theft.
  4. Update your program periodically.

Additionally, the program must identify and address certain "red flags" or warning signs such as:

  1. Alerts, notifications, or warnings from a consumer reporting agency;
  2. Suspicious documents;
  3. Suspicious personally identifying information;
  4. Suspicious activity relating to a covered account;
  5. Notices from customers, victims of identity theft, law enforcement authorities, or other entities about possible identity theft in connection with covered accounts.

Guidelines issued with the Rule and an organization's own particular operations are a good starting point in designing the program. Ultimately, businesses and organizations should take the time to understand how identity theft could occur based on operations. Noncompliance with a written identity theft detection and prevention program could expose a business or nonprofit organization to an investigation from the Federal trade Commission.

Please visit http://ftc.gov/os/fedreg/2007/november/071109redflags.pdf for guidelines issued with the Rule.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.