Red Flags Rule – Guidelines for Responding for Financial Institutions and Creditors

By Brooks Hoffman, LifeSpan Technology Recycling


The Red Flags Rule was promulgated by the Federal Trade Commission and other federal agencies charged with overseeing compliance to the Financial Service Modernization Act (GLB), the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transaction Act (FACTA). It states that all Financial Institutions and others who are considered “Creditors” must:

  1. Identify in writing the areas of their operation where the personal information of their clients is at risk of unauthorized access;
  2. Develop written procedures to mitigate that risk;
  3. Detect unauthorized access if or when it happens.
Who Is Covered

The determination of whether your business or organization is covered by the Red Flags Rule isn’t based on your industry or sector, but rather on whether your activities fall within the relevant definitions of a Financial Institution or Creditor. The definition of Financial Institution is fairly self-evident. It includes state and national banks, savings and loan associations, credit unions, mutual funds that offer accounts with check-writing privileges, and any other person that, directly or indirectly, holds a transaction account belonging to a consumer.

The definition of “Creditors” is quite broad and includes businesses that regularly defer payment for goods or services or provide goods or services and bill customers later. Examples include: utility companies, health care providers, telecommunications firms, finance companies, mortgage brokers, real estate agents, automobile dealers, and retailers that offer financing or help consumers obtain financing from others. If your organization regularly extends credit to other businesses, you are also covered under this definition.

How to Comply

If you’re a Creditor or Financial Institution with covered accounts, you must develop and implement a written Identity Theft Prevention Program. The Program must be designed to prevent, detect, and mitigate identity theft in connection with the opening of a new accounts or the operation of existing ones. To comply with Red Flags requirements you should:

  1. Add language to your policies and procedures identifying areas where information may be at risk of unauthorized access. You will need to specifically call out each area of vulnerability – including the retirement of end-of-life electronics assets containing potentially sensitive information. Procedural direction regarding the detection of unauthorized access also needs to be added.
  2. Add specific language to your contracts, agreeing to comply with the Red Flag Rule. LifeSpan does not represent itself as a qualified provider of legal advice. It is the prerogative of each company to obtain appropriate legal counsel when adding any language to a contract.
Penalties & Prosecution

The FTC can seek both monetary civil penalties and injunctive relief for violations of the Red Flags Rule. Where the complaint seeks civil penalties, the U.S. Department of Justice typically files the lawsuit in federal court, on behalf of the FTC. Currently, the law sets $3,500 as the maximum civil penalty per violation. Each instance in which the company has violated the Rule is a separate violation. Injunctive relief in cases like this often requires the parties being sued to comply with the law in the future, as well as provide reports, retain documents, and take other steps to ensure compliance with both the Rule and the court order. Failure to comply with the court order could subject the parties to further penalties and injunctive relief.

The FTC has delayed enforcement of the Red Flags until November 1, 2009 and has provided guidance on the applicability of the rule to employee benefit sponsors and administrators in a series of Frequently Asked Questions posted to its website:

For a copy of the full text of the Rules, visit the following to access the Rules and Regulations published in the Federal Register: