Over the past decade, one of the central consumer issues has been the significant increase in widespread identity theft.  In response, Congress and the Federal regulatory agencies have worked hard to create a statutory and regulatory framework for protecting consumers from identity theft.  In 2003, Congress passed the Fair and Accurate Credit Transactions Act (FACTA) which amended the Fair Credit Reporting Act (FCRA).  The FACTA amendments included several provisions designed to protect consumers from identity theft—including theRed Flags Rule.

The Red Flags Rule has been in full effect now for four years. This Rule was designed by the Federal Trade Commission and the Federal banking agencies to deter identity theft by requiring finance companies and other financial institutions that enter into consumer credit transactions or hold consumer transaction accounts to develop, implement and administer identity theft policies.

A company’s identity theft policy should be designed to detect, prevent and mitigate red flags—patterns or practices that could indicate the possibility of identity theft.  The Rule suggests five categories of red flags:

  • Alerts from a consumer reporting agency
  • Suspicious looking documents
  • Suspicious looking personal information
  • Suspicious activity relating to an account
  • Notices received about possible identity theft.

The Rule also requires that a company’s identity theft policy be appropriate to the size, nature and complexity of the company.  That is, the Rule provides for flexibility.  What is required for a nationwide consumer finance company is not expected of a “mom and pop” company.  But, at a minimum, a company’s policy should include the following fundamental elements:

  • Identifying red flags specific to the type of business
  • Developing a system that can detect the red flags in the routine operation of the business
  • Preventing and mitigating harm that results when identity theft is discovered, including the action the company will take
  • Continuously evaluating the identity theft policy of the company for any necessary tweaks and continuously providing for employee education.

Interestingly, the Red Flags Rule is one of the few consumer protection rules that the CFPB does not examine for compliance.  However, the CFPB Supervision and Examination Manual states, “If CFPB examiners become aware of potential issues in this area, the appropriate federal regulator should be notified.”  For that reason and, of course, to protect consumers from harm, finance companies need to have a good identity theft policy to spot suspicious patterns and prevent the costly consequences.  A company’s policy may not always work, but the failure to implement a policy is guaranteed to have costly consequences. And, it’s the law.