According to the Federal Trade Commission (FTC), “identity theft” affects an estimated nine million Americans annually, resulting in significant financial and reputational harm to individuals and costly losses to businesses.

Identity theft occurs when an individual’s personal or financial information is used without authorization. This may include details such as their name and address, credit card or bank account numbers, Social Security Numbers (SSNs), or medical insurance account numbers. The stolen information can then be exploited to:

• Make purchases with the victim’s credit cards.
• Obtain new credit cards in the victim’s name.
• Open utility accounts using their identity.
• Steal their tax refund.
• Secure employment.
• Access medical care.
• Impersonate them in the event of an arrest.

The FTC, along with other federal agencies, enforces the Red Flags Rule under the Fair Credit Reporting Act (FCRA). This regulation mandates that certain businesses and organizations implement a written Identity Theft Prevention Program to detect, prevent, and mitigate identity theft.

The Rule aims to help organizations:

• Detect suspicious activity (i.e., “red flags”) that may indicate identity theft.
• Respond appropriately to such threats.
• Minimize harm caused by identity theft.
• Regularly update their programs to address evolving risks.

The Rule emphasizes a risk-based and flexible approach, allowing businesses to scale their programs according to the size, complexity, and level of identity theft risk they face.

Compliance depends not on industry, but on the activities of the business:

1. Financial Institutions include banks, credit unions, and others that hold consumer accounts.
2. Creditors are businesses that:

• Defer payment for goods or services,
• Grant or arrange credit, or
• Use or provide consumer reports in connection with credit decisions.

Only those with “covered accounts” must implement a Red Flags Program. These include:

• Personal accounts with multiple payments or transactions (e.g., credit card accounts, mortgage loans, automobile loans, checking accounts, and savings accounts).
• Other accounts with foreseeable identity theft risk (e.g., small business accounts, sole proprietorship accounts, or single transaction consumer accounts that may be vulnerable to identity theft).

Businesses must conduct periodic risk assessments to determine whether they have covered accounts.

How to Comply: A Four-Step Process

1. Identify Relevant Red Flags

Businesses must assess risk based on account types, how accounts are opened and accessed, and past experiences with identity theft. Red flags may arise from:

• Credit report alerts.
• Suspicious ID documents.
• Inconsistent personal information.
• Unusual account activity.
• External notices (e.g., law enforcement or customer complaints).

2. Detect Red Flags

Programs must include procedures for verifying identities (especially for new accounts), authenticating users, and monitoring account activity. Verification should consider the context (e.g., in-person, online) and avoid relying solely on easily obtained information like SSNs or birthdays.

3. Prevent and Mitigate Identity Theft

When red flags are detected, businesses must respond appropriately. Potential actions include:

• Monitoring the account.
• Changing credentials.
• Closing or reopening the account.
• Notifying law enforcement.
• Deciding not to collect on the account.

Responses should be proportionate to the level of risk and consider aggravating factors, such as recent data breaches.

4. Update the Program

Programs must evolve in response to changing threats, technologies, and organizational structures. Updates should reflect:

• New methods of identity theft.
• Changes in services or business models.
• Lessons learned from past incidents.

---

Administering the Program

The program must be formally approved by the organization’s Board of Directors or senior management and must be:

• Actively overseen by designated senior personnel.
• Supported by training for relevant staff.
• Reviewed and updated regularly.

Annual reports to leadership are required and must evaluate:

• The program’s effectiveness.
• Identity theft incidents and responses.
• Oversight of service providers.
• Recommendations for program changes.

---

Service Provider Oversight

Businesses must ensure that service providers (e.g., billing companies, collection agencies) also adhere to identity theft prevention standards. This can be achieved by:

• Including compliance provisions in contracts.
• Requiring regular reporting.
• Sharing internal policies and expectations.

Providers may use their own identity theft programs if they meet the Rule’s standards.

---

FAQs Highlights

• Merely accepting credit cards does not make a business a “creditor.”
• Billing clients at the end of the month does not qualify as “advancing funds.”
• Businesses using credit reports for decisions (even through third parties) are typically covered.
• Businesses must assess all accounts (credit and non-credit) for coverage.
• Even low-risk businesses must have a written program, though a simple one may suffice.

---

Conclusion

The Red Flags Rule is designed to help businesses detect and prevent identity theft through a customized, risk-based program. While the complexity of a program should reflect the level of risk, all covered entities must remain vigilant, keep their programs current, and train their personnel accordingly. The Rule underscores that identity theft prevention is a shared responsibility between organizations, their staff, and their service providers.

Source

Federal Trade Commission. (2013). Fighting identity theft with the Red Flags Rule: A how-to guide for business. https://www.ftc.gov/business-guidance/resources/fighting-identity-theft-red-flags-rule-how-guide-business