The Red Flags Rule is an identity theft prevention scheme developed by the Federal Trade Commission (FTC) in the United States. Under the rule, financial institutions and people or companies that could be considered creditors must take a series of steps to identify and prevent identity theft. The goal of the Red Flags Rule is to protect consumer safety by requiring people in possession of identifying information and private financial records to have a system in place for addressing identity theft.
The Red Flags Rule requires those subject to the rule to have a written program in place for handling identity theft. The company could use a generic template or develop its own. The program needs four components. The first is the identification of any red flags, activities or events that might indicate someone is attempting to commit identity theft. These can vary by business and industry. The company must also have a plan in place for detecting these red flags.
Some examples of red flags can include suspicious documents, unusual account activity, queries on an account, or warnings from credit bureaus. There may also be concerns specific to a particular business, like evidence that someone is using falsified insurance information to get health care, or the inability to provide proof of ownership for a home or vehicle before ordering services.
A prevention and action plan must be part of the program under the Red Flags Rule, to make sure the company takes prompt action in cases of suspected identity theft and works to close obvious loopholes. Finally, the company needs to commit to updating the plan. Updates should include new information and policies and must occur on a regular basis. This shows that the business is keeping up with identity theft issues and has plans in place to address them.
Identifying financial institutions like banks and credit unions is easy, but determining what kinds of creditors are subject to the Red Flags Rule is somewhat more complicated. The rule covers people like veterinarians, who may provide services on credit or accept payment plans. Most businesses that allow people to pay later for services could be classified as creditors, ranging from utilities that bill after the fact to accountants who send bills to their clients. The scope of the Red Flags Rule led to several delays in enforcement as industry lobbyists argued that compliance would be difficult for small businesses, particularly those run by self-employed people.