FTC and federal bank regulatory enforcement of the "Red Flags Rule" ("the Rule") begins on May 1, 2009. Promulgated under the Fair and Accurate Credit Transactions Act (FACTA) in order to combat identify theft and mitigate the damage it inflicts, the Rule requires "financial institutions" and "creditors" with "covered accounts" to implement a written identity theft prevention program ("Program") to detect, prevent, and mitigate identity theft in connection with opening new accounts and maintaining existing accounts. The Program must include:

  • reasonable policies and procedures to identify specific patterns or practices ("red flags") which the institution or creditor has determined may indicate the possibility of identity theft based on its own experience;
  • a procedure designed to detect those red flags;
  • specific actions which will be taken when the red flags are detected; and
  • a plan for revaluating and updating the program periodically to reflect new risks (and new red flags) in order to address continually changing threats.

In addition to state and nationally chartered banks, savings and loans, and credit unions, "financial institutions" covered by the Rule include entities which directly or indirectly hold transaction accounts, i.e., consumer accounts from which checks can be written or other transfers made to third parties, including mutual funds that offer check writing privileges.

Covered "Creditors" include entities which regularly extend or arrange for the extension, renewal, or continuation of credit, and assignees of original creditors who participate in credit decisions. "Covered accounts" include all consumer accounts designed to permit multiple payments, as well as all "other accounts for which there is a reasonably foreseeable risk from identity theft."

The FTC takes the position that the Rule does not apply to include or exclude any industry. Rather, applicability depends on whether the company is a "financial institution" or "creditor" with "covered accounts" as defined in the Rule. Thus, any company which extends credit to consumers to purchase its products may become a "creditor." Both creditors and financial institutions must conduct a risk assessment to determine whether they have any accounts for which a reasonably foreseeable risk of identity theft exists.

The Rule provides for civil penalties of $2500 per violation.