Red Flag Rule

Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate Credit Transactions Act of 2003 (Aka Identity Theft Red Flags Rule): URGENT FTC UPDATE!!!


The issuance of the final rule of the Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate Credit Transactions Act of 2003 rule implements sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003, an amendment to the Fair Credit Reporting Act.

The purpose of the Rule is to attempt to minimize incidents of Identity Theft and fraud in the opening and maintenance of covered accounts by financial institutions and creditors, as well as addressing issues of address discrepancies by users of consumer reports (credit reports and specialty consumer reports) and debit or credit card issuers.

Summary of Key Requirements:

The final rules requires every organization that holds any consumer account, or other Personal identifying information for which there is a reasonably foreseeable risk of identity theft, to develop and implement a written Identity Theft Prevention Program for combating identity theft in connection with the opening of new accounts and the maintenance of existing accounts. The Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft of its customers and enable an organization to specifically:

  • Identify relevant patterns, practices, and specific forms of activity that are “red flags” signaling possible identity theft and incorporate those red flags into the Program;
  • Detect red flags that have been incorporated into the Program;
  • Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
  • Ensure the Program is updated periodically to reflect changes in risks from identity theft.
Administration and Oversight of the Program:

Each institution that implements this program must provide for the continued administration and oversight of the Program and must:

  1. Obtain approval of the initial written Program/ Policy from either its board of directors or an appropriate committee of the board of directors; and
  2. Involve the board of directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development, implementation and administration of the Program (appoint a security officer); and
  3. Train staff to effectively implement the Program; and
  4. Exercise appropriate and effective oversight of service provider arrangements. (Request compliance from ALL vendors)