What Is the Identity Theft Red Flags Rule?

The Identity Theft Red Flags Rule is a federal law. It requires financial institutions and certain businesses to help protect consumers against identity theft.

You've seen this rule in action if your credit card issuer or bank has ever called you about suspicious activity. Its name comes from the red flags that can appear on your accounts due to identity theft. This rule compels them to ensure you won't be a victim of identity theft.

The red flags rule stems from the Fair and Accurate Credit Transactions Act of 2003. This law amended the Fair Credit Reporting Act (FCRA).

Under this law, financial institutions must create comprehensive anti-fraud programs. These programs can help you discover and contain identity theft issues quickly.

Who Is Subject To the Rule?

Federal law typically requires the following entities to adopt identity theft prevention programs (ITPPs):

• Banks
• Investment brokers
• Mutual funds
• Credit card companies
• Credit unions
• Online payment service companies

• Other creditors, which may include car dealerships and retailers

These entities must create reasonable policies to protect their customers. Mitigating identity theft is a necessity for doing business in the financial industry.

However, the red flags rule doesn't protect all financial account types. An anti-theft program only needs to protect covered accounts. The Federal Trade Commission (FTC) helps institutions understand which account types the rule covers.

As a consumer, you can generally expect your most sensitive financial information to stay secure because of this rule. ITPPs can let you rest easier when you apply for a loan, get a new account to manage your money, or open a credit card.

A Controversial History

The contentious identity theft red flags rule faced legal challenges. Most of the complaints were about its original scope.

Federal agencies drafted the red flags rule to govern financial institutions and creditors. However, the FTC counted anyone who provided services before billing customers as a creditor. This definition included psychologists, lawyers, and even municipal utility providers.

Congress has since narrowed the definition of creditors for this rule. Creditors generally include businesses that regularly review customers' credit reports or report customer activities to credit agencies. You can check with an organization to see whether it has a program under this rule.

What Are the Red Flags of Identity Theft?

A red flag is a specific activity that suggests a risk of identity theft. The degree of risk can vary based on the type of account, which means red flags can be unique to each business.

Examples of red flags in a customer's account include:

• Unusually large purchases within a short time
• Transaction logs that show usage of your credit or debit card elsewhere in the world
• A change of address (the provider or consumer reporting agency may send you a "notice of address discrepancy" to check whether you moved recently)
• Changes to your account information, such as the name or date of birth attached to the account
• Suspicious documents that show signs of forgery, such as a signature that doesn't match other account documents

Ask your bank and other financial services about how they catch evidence of identity theft. Understanding their specific prevention methods can help you evaluate your account's safety.

Red flags don't always catch identity theft. Some scams can look like legitimate activity to a financial service provider. Watch for the warning signs of a stolen identity to help detect any problems that fly under the radar.

What Do Identity Theft Prevention Programs Include?

Banks and creditors with an ITPP must take all the following steps:

• Identify practices and features that are red flags of identity theft
• Develop a program for recognizing these red flags when they arise
• Establish a plan for dealing with red flags to help prevent identity theft in their businesses
• Keep their identity theft prevention programs up to date

The federal regulation lists these four program elements (16 C.F.R. Part 681). Ultimately, ITPPs should define, notice, and act based on red flags of identity theft.

If the red flags rule sounds open-ended, that's because it is. It applies to many types of businesses and organizations, so the law must be flexible enough to work for all of them.

How the Red Flags Rule Works in Action

The following example of a bank shows how this law can protect you. A bank must comply with the red flags rule, so it will have a written identity theft prevention program.

First: Identifying Relevant Red Flags

Knowing the signs of identity theft is the first challenge.

The bank might determine that a sudden shift in an account holder's spending patterns is a red flag of identity theft.

Second: Detecting Red Flags on Accounts

Once a financial institution identifies which red flags to look for, it needs a way to measure when they happen. Many detection methods are automated so the institution can monitor thousands of accounts.

The bank might decide to flag unusual spending patterns if it appears the account holder:

• Suddenly starts charging more to a credit card
• Begins purchasing valuable and easily transferable items like jewelry
• Makes large purchases out of state or out of the country

The bank won't know yet whether someone has unauthorized access to your card. You might just be enjoying a shopping spree. That's why the next step is to follow up when a red flag triggers the alarm.

Third: Responding to Suspicious Activity

Financial institutions must develop a plan to deal with the red flags they detect. Appropriate responses often involve customer notification and temporary account restrictions.

The bank might take action by:

• Monitoring the account more closely
• Contacting the account holder
• Changing the account's passwords and security codes
• Locking the card or account until the customer verifies information like recent purchases

These actions can annoy customers who are simply changing their habits. Yet, the bank must take appropriate steps. The red flags rule encourages institutions to take a "better safe than sorry" approach.

Fourth: Updating the Identity Theft Prevention Program

Scammers and hackers constantly create new ways to get your information. As their tactics change, the identity theft risks shift.

The red flags rule requires financial institutions to update their programs regularly. Updates may include implementing more modern data security tactics or improving staff training.

It's not enough for the example bank to set and forget its identity theft prevention program. The bank must review its practices to find any vulnerabilities and fix them.

Consumer Protection Beyond the Red Flags Rule

Identity theft is a complicated crime. Thieves have many opportunities to steal your information, whether they hack business systems or trick you.

Many consumer protection efforts help secure sensitive information, including:

• Consumers help protect themselves by guarding their personal identifying information, such as Social Security numbers and driver's license details.
• Businesses maintain security systems to protect their customers' billing information and addresses.
• Financial institutions and creditors monitor activity and respond to identity theft reports under the red flags rule.
• Law enforcement agencies work to detect, track, and eventually prosecute identity thieves.

Together, these various efforts make up a robust defense against identity theft. Unfortunately, they may still fail. If you suspect someone stole your identity, act quickly to report it and recover from your losses.

Know Your Rights Against Identity Theft

Financial businesses and creditors must treat your account and data with care. Identity theft rules make your information more secure — but only if organizations follow them.

A consumer protection attorney can help you resolve identity theft issues. Laws like the red flags rule can be complicated. Your lawyer can explain how it and other identity theft laws apply to your situation.