Identity theft is a growing concern on a national level primarily due to the increased use of electronic transactions and online technology. Consequently, federal regulatory agencies came together to create the Identity Theft Red Flags Rule ("Red Flags Rule" or "Rule"), which requires financial institutions and creditors to develop and implement identity theft prevention procedures to identify, detect, and respond to activities that could indicate identity theft. The Rule's definition of financial institution and creditor are purposefully broad so that they cover a wide range of entities.

Recently, the Federal Trade Commission ("FTC") announced it was extending the original November 1, 2008 compliance deadline to May 1, 2009. The extension accommodates entities that were uncertain about whether they fell within the Rule's definition of financial institution or creditor as well as those who learned of the Rule's requirements too late to come into compliance.

Entities Covered Under The Red Flags Rule

The Red Flags Rule applies to all financial institutions and creditors that have covered accounts. Since many of these entities continually offer new products, a determination of whether a company has a covered account is an ongoing process.

The Rule defines a financial institution as a bank or other organization that holds customers' funds and permits accountholders to make payments or transfers to third parties, such as checking accounts and savings accounts that allow automatic transfers.

A creditor is defined by the Rule as any entity that regularly extends credit, which includes finance companies, casinos, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. 

Under the Red Flags Rule, a covered account is an account primarily for personal, family, or household purposes that permits multiple payments or transactions. Common examples are credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. The term covered accounts also includes any other account that is vulnerable to identity theft, such as small business accounts.


The Red Flags Rule covers a broad range of the firm's clients; therefore, immediate measures should be taken to help them meet the extended May 1, 2009, deadline. The first step toward compliance is a comprehensive review of each client's existing fraud prevention policies to determine if they can be tailored to meet the Rule's provisions. Also, assistance should be provided for the development and implementation of training programs as well as the investigation and response to identity theft incidents.