Financial institutions and businesses that extend credit to consumers will soon need to comply with new rules effective November 1, 2008 designed to protect against identity theft. The Federal Trade Commission, Federal Reserve, and other financial regulators have developed the Red Flag Rules under the Fair and Accurate Credit Transactions Act of 2003.

The Red Flag Rules apply to “financial institutions” and “creditors” with “covered accounts.” A financial institution is essentially a bank or credit union that holds a deposit or other type of account on behalf of consumers. “Creditor” has a much broader definition that includes any entity that regularly extends credit or is an assignee of an original creditor and is involved in the decision to extend credit. A “covered account” is an account used for personal, family, or household purposes that involves multiple payments or any account for which there is a reasonable foreseeable risk of identity theft.

The Rules are designed to make sure creditors are investigating the identity of the individuals to whom they extend credit. The broad definition of “creditor” includes finance companies, car dealers, mortgage brokers, utility companies, telecommunications companies, and non-profit and government entities that defer payment for goods and services.

The Rules are flexible depending on the size and nature of the financial institution or creditor and include 26 possible “red flags” to be identified in a written identity theft prevention program, including:

  • Forged applications
  • Suspicious documents, personal identifying information, or addresses
  • Change of address followed by a request for a new credit card
  • Consumer reporting agency alerts or warnings
  • Identical social security numbers supplied by different customers
  • Customers not receiving account statements; and
  • Inactive accounts

Financial institutions and creditors must have a written program that detects red flags in connection with a covered account by November 1, 2008. Failure to comply could result in monetary fines and enforcement actions. Furthermore, companies that unwittingly facilitate identity theft are often subject to significant negative media attention. Some commentators suspect that the Red Flag Rules will eventually become the standard of care for determining whether a company has negligently contributed to identity theft.