Under the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”), which amended the Fair Credit Reporting Act (“FCRA”), the federal banking agencies, the National Credit Union Administration, and the Federal Trade Commission (“FTC”) (collectively, the “Agencies”) jointly issued regulations regarding the mandatory creation and implementation of a program to prevent and uncover identity theft of a customer, and other frauds that may be perpetrated against the financial institution or creditor and its customers. Each financial institution or creditor subject to the Agencies’ respective enforcement authority is required to identify patterns, practices, and specific forms of activity that indicate the possible existence of identity theft. Moreover, these regulations, referred to as the “Red Flag Rules,” require that each financial institution and creditor establish written guidelines—their own Identity Theft Prevention Program (“Program”)—regarding identity theft in order to identify possible risks to its customers or to the safety and soundness of the institutions themselves. 15 U.S.C. § 1681m(e). Financial institutions and creditors must have their Programs in place by November 1.

Coverage and Scope

The Red Flag Rules and guidelines affect all financial institutions and creditors with covered accounts. “Creditor” includes anyone who arranges for the extension, renewal, or continuation of credit (following the definition in the Equal Credit Opportunity Act). The regulations apply to “Covered Accounts,” which are continuing credit relationships established by a person with a financial institution or creditor involving a product or service for personal, family, or household purposes, if the product or service is designed to permit multiple payments or transactions. Examples include credit card accounts, mortgage loans, installment credit, margin accounts, cell phone and other utility accounts, and checking and savings accounts. Covered Accounts also include any other account (including those established for business purposes) where there is reasonably foreseeable risk to a customer or the financial institution from identity theft. Financial institution risks include financial, operational, compliance, reputation, or litigation risks. The Red Flag Rules cover both existing accounts and those in the process of being opened.

Program Requirements

Each financial institution and creditor that holds any Covered Account for which there is a reasonably foreseeable risk of identity theft, must develop and implement a Program for combating identity theft in connection with new and existing accounts. The Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft in connection with the opening of a Covered Account or any existing Covered Account, and must enable a financial institution or creditor to:

  • Identify relevant patterns, practices, and specific forms of activity that are “Red Flags” signaling possible identity theft, and incorporate those flags into the Program. 
  • Detect Red Flags that have been incorporated into the Program. 
  • Respond appropriately to any Red Flags that are detected pursuant to the Program to prevent and mitigate identity theft. 
  • Ensure the Program (including the Red Flags determined to be relevant) is updated periodically to reflect changes in risks from identity theft for customers, as well as for the safety and soundness of the creditor.

The Board and senior management must approve and oversee the Program.