On October 22, 2008, the FTC announced a sixmonth extension of the deadline for compliance with the FACTA Identity Theft “Red Flag” Rules in order to give financial institutions additional time to develop and implement identity theft procedures. The compliance date was extended to May 1, 2009. The rules were issued jointly by the Federal Reserve Board of Governors, OCC, FDIC, FTC, and NCUA last year to implement sections of the Fair and Accurate Credit Transactions Act (FACTA) targeted at reducing identity theft. The rules require “financial institutions” and “creditors” with consumer accounts and other accounts “for which there is a reasonably foreseeable risk of identity theft” to develop and implement written identity theft prevention programs incorporating policies and procedures to guard against identity theft.

Although the federal agencies identified 31 patterns and activities as possible indicators of risk of identity theft, the final rules permit covered entities to limit red flags in their businesses based on experience, supervisory guidance and amendment as dictated by circumstances. The rules require financial institutions and creditors to implement procedures which enable them to:

  • identify specific forms of activity which are red flags of possible identity theft in their business;
  • incorporate the red flags in their programs; and
  • detect and respond appropriately to red flags detected to prevent and mitigate identify theft.

The rules also require debit and credit card issuers to establish procedures to assess the validity of notices of address changes when followed by requests for additional or replacement cards, and to take steps to verify the request for the replacement card or the request for address change.