The Federal Trade Commission (FTC) has announced publication of an Interim Final Rule on identity theft “red flags” that narrows the circumstances under which creditors are covered by the rule.

Congress directed the FTC, along with several banking agencies to develop regulations requiring “financial institutions” and “creditors” to develop and implement a written identity theft prevention program.   By identifying “red flags” for identity theft in advance, businesses can be better equipped to spot suspicious patterns that may arise — and take steps to prevent potential problems from escalating into a costly episode of identity theft.

Under the rule, Red Flag Programs must have four parts.  First, the program must include reasonable policies and procedures to identify signs – or “red flags” – of identity theft in the day-to-day operations of the business.  Second, the program must be designed to detect the red flags of identity theft identified by the business.  Third, the program must set out the actions the business will take upon detecting red flags.  Finally, because identity theft is an ever-changing threat, a business must re-evaluate its program periodically to reflect new risks from this crime. 

The agencies promulgated the Red Flags Rule in 2007.  In December 2010, Congress enacted legislation narrowing the definition of “creditors” covered by the rule.  The amended Red Flags Rule now provides that a creditor is covered only if, in the ordinary course of business, it regularly:

  • Obtains or uses consumer reports in connection with a credit transaction;
  • Furnishes information to consumer reporting agencies in connection with a credit transaction; or
  • Advances funds to or on behalf of a person in certain cases.