Reading Time: 3 minutes

Flags that signal the risk of identity theft include suspicious activity indicating that identity thieves may be using stolen information. For example, names, Social Security numbers, account numbers, and birth dates to open new accounts or raid existing ones.

Under the Red Flags Rule, which went into effect in  2008 , certain businesses and organizations are required to spot and heed the red flags that often can be the telltale signs of identity theft. To comply with the new Red Flags Rule – enforced by the Federal Trade Commission (FTC), the federal bank regulatory agencies, and the National Credit Union Administration (NCUA) – you may need to develop a written “red flags program” to prevent, detect, and minimize the damage from identity theft.

Are you covered by the Red Flags Rule? If so, have you put into place the new procedures the Rule requires?

Who Must Comply

Although every business or organization with an ongoing relationship with consumers should keep an eye out for the possibility of identity theft, the Red Flags Rule applies only to “financial institutions” and “creditors.” To determine if your business or organization is covered by the Rule and required to develop a written identity theft Program, you’ll need to answer two questions:

  1. Is your business or organization either a “financial institution” or “creditor,” as those terms are defined in the Rule?
  2. If so, do you have “covered accounts”?

A “financial institution” is a bank, savings and loan, credit union, or other entity that holds a “transaction account” belonging to a consumer. A “transaction account” is an account that allows the owner to make payments or transfers. Examples include checking accounts, savings accounts that permit automatic transfers, and share draft accounts. Another example would be a brokerage account that allows consumers to write checks.

Your business or organization is a “creditor” if you regularly:

  • extend, renew, or continue credit;
  • arrange for someone else to extend, renew, or continue credit; or
  • are the assignee of a creditor who is involved in the decision to extend, renew, or continue credit.

Under the Rule, “credit” means an arrangement by which you defer payment of debts or accept deferred payments for the purchase of property or services. In other words, payment is made after the product was sold or the service was rendered. Some examples of creditors are finance companies, automobile dealers, mortgage brokers, utilities, and telecommunications companies. Even if you’re a non-profit or government agency, you still may be a creditor if you accept deferred payments for goods or services. However, simply accepting credit cards as a form of payment does not make you a creditor under the Rule.

If you determine you’re a financial institution or a creditor, the next step is to see if you have “covered accounts.” There are two types of covered accounts. One is an account used mostly for personal, family, or household purposes that involves multiple payments or transactions. Examples include credit card accounts, mortgage loans, car loans, margin accounts, cell phone accounts, utility accounts, and checking or savings accounts.

The other is one for which there is a foreseeable risk of identity theft. For example, one type of account that should be considered for coverage because it may be vulnerable to identity theft is a small business or sole proprietorship account. In determining whether you have such an account, consider the risks associated with how the accounts may be opened or accessed – i.e. what type of interaction and documentation is required – as well as your experience with identity theft.

If your business or organization is a financial institution or creditor, but does not have any covered accounts, you don’t need a program. But if you have covered accounts, you must develop a written program to identify and address the red flags that could indicate identity theft.

Learn How to

  • Comply,
  • Detect Red Flags,
  • Identify Relevant Red Flags,
  • Prevent and Mitigate Identity Theft
  • Learn about Penalties for Non-compliance at

Best ITSM Tools