What Is the Identity Theft Red Flags Rule?

Many people and entities work to combat identity theft. Consumers help protect themselves by guarding personal identifying information such as Social Security numbers and driver’s license numbers. Businesses maintain security systems to protect their customers’ billing information and addresses. Law enforcement agencies work to detect, track, and eventually prosecute identity thieves. Together, these and other efforts make up a concerted defense against identity theft. The identity theft red flags rule refers to another one of these efforts undertaken by financial institutions and creditors.

The Red Flags Rule

Federal law requires banks, investment brokers, mutual funds, and other creditors to adopt identity theft prevention programs. This is the red flags rule, so-named because its central feature requires financial institutions to identify certain practices that are indicators, or “red flags,” of identity theft.

Banks and creditors must:

  • Identify practices and features that are “red flags” of identity theft;
  • Develop a program for recognizing these red flags when they arise;
  • Establish a plan for dealing with red flags to help prevent identity theft in their businesses; and
  • Keep their identity theft prevention programs up to date.

These four “program elements” come from the relevant federal regulation, and form the basis of the red flags rule.

If the red flags rule sounds open-ended to you, that’s because it is. The red flags rule applies to many different types of businesses and organizations, and has to be flexible enough to work for all of them. The important part to remember is that banks and creditors must have identity theft prevention programs that identify, notice, and act based on red flag indications of identity theft.

How It Works: The Red Flags Rule in Action

Here’s an example. A bank must comply with the red flags rule, and must devise an identity theft prevention program. It might (1) determine that a sudden shift in an account holder’s spending patterns is a red flag of identity theft.

To (2) detect this red flag, the bank might decide to flag instances where an account holder suddenly starts charging more to a credit card, begins purchasing valuable and easily transferable items like jewelry, or makes large purchases out of state or out of the country.

When this happens, the bank might (3) take action by monitoring the account, contact the account holder, or change an account’s passwords and security codes. You, the customer, might hear about it at this point. But the bank’s red flags identity theft prevention program has already been operating to protect your money, credit, and information.

In any case, the bank has (1) identified red flags of identity theft, (2) taken steps to recognize them when they arise, and (3) developed a plan for dealing with red flags when they’re detected. It will also meet the red flags rule by (4) continually updating its identity theft prevention program. This is the identity theft red flags rule in action.

A Controversial History

The identity theft red flags rule has faced controversy. Much of this has been due to interpretation of its scope. First laid out in section 114 of the Fair and Accurate Credit Transactions Act of 2003, federal agencies drafted the red flags rule to apply broadly to financial institutions and “creditors.” Controversy arose because the Federal Trade Commission (FTC) broadly defined creditors to include anyone who provided services and billed customers later – including psychologists, lawyers, and even municipal utility providers. Congress has since narrowed the definition of creditors – doctors, lawyers, and other professionals don’t have to come up with identity theft prevention programs.

While federal agencies delayed implementing the red flags rule for years, it’s now in effect. Banks, credit unions, brokers, mutual funds, financial institutions, and similar businesses are generally covered by the rule and must have identity theft prevention programs in place. It’s worth asking your bank or credit union about their implementation of the identity theft red flags rule. Understanding how identity theft is prevented can help you take steps to reduce the risk of it happening to you.

Getting Legal Help

Individuals and businesses should take identity theft seriously. You can find more information on these pages. For specific questions related to an individual case, we recommend speaking to a consumer protection attorney.

Next Steps

Contact a qualified consumer attorney to assist with the hazards and stress accompanying identity theft and online scams.

Help Me Find a Do-It-Yourself Solution