Red Flags Rule

About the Red Flags Ruleredflagsrule

On October 31, 2007, a joint committee of the OCC, Federal Reserve Board, FDIC, OTS, National Credit Union Administration (NCUA) and the Federal Trade Commission (FTC) passed the final legislation for Section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACTA), also known as the Identity Theft Red Flags and Notices of Address Discrepancy or “Red Flags Rule”. The Rule requires that all organizations subject to the legislation must develop and implement a formal, written and updated Identity Theft Prevention Program (Program) to detect, prevent and mitigate identity theft.

The final rule became effective on January 1, 2008 and all covered enteritis had to be compliant with the Rule by November 1, 2008. The FTC enforcement date is effective January 1st, 2011.

Who must comply with the Red Flags Rule

The Red Flags Rule applies to financial institutions and creditors with covered accounts.

A financial institution is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a transaction account belonging to a consumer. Most of these institutions are regulated by the Federal bank regulatory agencies and the NCUA. Financial institutions under the FTC’s jurisdiction include state-chartered credit unions and certain other entities that hold consumer transaction accounts.

Creditors include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Where non-profit and government entities defer payment for goods or services, they are also considered creditors. Most creditors, except for those regulated by the Federal bank regulatory agencies and the NCUA, come under the jurisdiction of the FTC.


A covered company is a term used to refer to an organization which must comply with the Rule because they have identified covered accounts in their risk assessment process.

A covered account is an account used mostly for personal, family, or household purposes, which involves multiple payments or transactions. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. A covered account is also an account for which there is a foreseeable risk of identity theft such as small business or sole proprietorship accounts.

A financial institution is typically defined as bank, savings and loan association, credit union, or any other entity that holds a transaction account belonging to a consumer.

A transaction account is a deposit or other account from which the owner makes payments or transfers. Transaction accounts include checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.

A creditor is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not make an entity a creditor.

Red Flag Program Clarification Act of 2010

Following Senate approval of the bill, the House also passed the “Red Flag Program Clarification Act of 2010” on 12/7/2010 which was subsequently approved by the President of the United States to exclude certain entities from the covered entities under the Red Flags rules.

The Clarification Act includes the following language regarding the definition of a creditor as one that regularly and in the ordinary course of business:

  • Obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction,
  • Furnishes information to consumer reporting agencies in connection with a credit transaction, and
  • Advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person. This excludes creditors who advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.

Visit the Red Flags Rule compliance audit and certification page.