October 3, 2008

Red November: Understanding the Red Flag Rule.

Understanding the Red Flag Rule.

Many may have heard of the Red Flags Rule and know that businesses need to make changes to comply with these rules. However, many institutions are still unclear of how this rule can affect them. On top of that US Financial institutions face a mandatory deadline of November 1, 2008 to comply with 3 new US Fair and Accurate Credit Transactions Act (FACT Act) regulations referred to as the Red Flag rule.

What are the red flag rules?

The red flag rules push financial institutions to make sure that people are who they say they are. Red flag rules stipulate that financial institutions and creditors establish
a written identity theft prevention program to detect, prevent and mitigate identity theft. According to the FTC, each year over 8 million consumers fall victim to identity theft, and over $15 billion in losses are caused by Identity thieves.

Identity theft is a growing crime affecting not only consumers but also businesses negatively. The Red Flag Rule is designed to hold businesses more accountable in their management of consumer information through guidelines and legislation that address technology and procedural issues affecting how that information is handled.

What are Red Flags?

Red Flags can be defined as any specific activity, practice or pattern which indicates the possible existence of fraud or identity theft, such as:

  • Unusual credit activity, such as an increased number of accounts or inquiries.
  • Documents provided for identification appearing altered or forged.
  • Photograph on ID inconsistent with appearance of customer.
  • Information on ID inconsistent with information provided by person opening account.
  • Lack of correlation between Social Security number range and date of birth.
  • Social Security number provided matching that submitted by another person opening an account or other customers.
  • Drastic change in payment patterns, use of available credit or spending patterns.
  • An account that has been inactive for a lengthy time suddenly exhibiting unusual activity.
  • Financial institution or creditor notified that customer is not receiving paper account statements.
  • Financial- institution or creditor notified that it has opened a fraudulent account for a person engaged in identity theft.

How it can affect you?

  • Each financial institution and creditor that holds any “covered account” need to develop and implement an Identity Theft Prevention Program designed to prevent, detect, and mitigate identity theft in connection with new and existing accounts.
  • The rules require issuers of credit and debit cards to develop policies and procedures to ensure the validity of an address change request when that request is followed closely by a request for an additional or replacement card.
  • Users of consumer credit reports are required to develop policies and procedures to respond to notices from credit reporting agencies regarding address discrepancies.

Who must comply?

The Red Flag Rules applies to any financial institution or creditor. So it not only applies to every single bank, savings and credit union, but also thousands of other institutions that are considered a creditor. The FTC states that financial institutions and creditors that “offer or maintain covered accounts” must implement a red flag rule program.


Complying with the rule is not an easy or quick task; it carries the same challenges as any other compliance standards out there. However, non-compliance risks are huge. Failing to comply creates anything from civil fines, enforcement action, lawsuits and specially harm to one’s reputation. The FTC may impose civil money penalties which can go up to $2,500 per violation.

For more info on the Red Flag Rule, visit the FTC website: http://www.ftc.gov/os/2007/10/r611019redflagsfrn.pdf