Red Flags Rule Compliance


Identity Management Institute® (IMI) has developed comprehensive Red Flags Rule (“Rule”) compliance services in the following three categories:

Program Servicescompliant - Copy

IMI offers Red Flags Rule compliance services for organizations which might be in various stages of their Identity Theft Prevention Program implementation:

1) Development – For organizations which have not yet developed a Red Flags Rule compliance program, certified IMI members will work with company management and staff to guide them through the development stage by providing the necessary checklists, templates and guidance.

2) Pre-Assessment – For organizations which have developed a Program but need an independent assessment of their Program before certification, IMI offers a pre-assessment service which will review the Program documentation and provide management with a list of actionable steps ensuring a complete compliance program.

3) Certification – Organizations which have a Program in place and feel that their Program is complete and ready for a certification audit, can engage IMI to complete an audit and certify their Program.

Specific Compliance Services

Certified Red Flag Specialist® members can assist companies with their Red Flags Rule compliance needs by:

  • Developing a risk assessment methodology and conducting a comprehensive risk assessment of the organization,
  • Designing and developing a written Identity Theft Prevention Program,
  • Conducting an independent Red Flags Rule compliance audit to assess the effectiveness of the program, and
  • Offering training assistance.

Compliance team members are active Certified Red Flag Specialist® professionals who have audit, compliance, security and fraud management experience. CRFS members undergo comprehensive training and rigorous examination by IMI, and, are familiar with the government examination guidelines.


Benefits of a Red Flags Rule Audit

A Red Flags Rule compliance audit and certification has many benefits including the independent validation of the program completeness as well as the identification of improvement opportunities in the company’s compliance and identity theft risk management posture. Other benefits may include:

  • Consistency and efficiency
  • Higher compliance confidence with the Rule
  • Improved customer satisfaction and loyalty
  • Reduced fraud costs
  • Increased awareness and focus
  • Increased profitability
  • Enhanced corporate status
  • Competitive advantage
  • Lower insurance premiums
  • Lower chance of government audits
  • Preparation for regulatory agency audits

Audit Approach

IMI’s certified  members perform the compliance audit using a structured audit program in alignment with government audit guidelines to gather information and request documentation for review and testing. The audit deliverable may include an interim report to provide improvement recommendations, and, a final report to certify the Red Flags Rule compliance program. The audit is mostly completed remotely but may require onsite visit for personnel inquiries, observation, and testing.

Audit Scope

The scope of the audit is limited to the requirements of the Red Flags Rule for implementing a workplace identity theft prevention program in connection with the opening of a new account or any existing account, address change requests, and address discrepancy notices received from credit reporting agencies. Therefore the audit scope does not include the privacy and protection of personal information collected by the company.

Also, a Red Flags Rule compliance program must be re-certified when material changes are made to the program as a result of regulatory changes or new risk assessment results.

About Red Flags Rule

The Federal regulation requires that all organizations subject to the legislation must develop and implement a formal, written and updated Identity Theft Prevention Program (“Program”) to detect, prevent and mitigate identity theft. Visit the Red Flags Rule page to learn more about the regulation.

Who Must Complycompliant

The Red Flags Rule applies to financial institutions and creditors with covered accounts.

A financial institution is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a transaction account belonging to a consumer.

Creditors include finance companies, non-bank financial services companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Where non-profit and government entities defer payment for goods or services, they are also considered creditors.

Covered companies typically offer a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account, and, any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.

Who Should Consider a Red Flags Rule Audit

Companies which must comply with the Rule may have to undergo an independent audit as required by various parties including the Board, auditors, attorneys, and executive management.

According to the Federal Trade Commission, the Rule likely affects over 11 million creditors.

Government Oversight Entity

Most financial institutions are regulated by the Federal bank regulatory agencies and the National Credit Union Administration (NCUA). Financial institutions under the Federal Trade Commission’s jurisdiction include state-chartered credit unions and certain other entities that hold consumer transaction accounts.

Most creditors, except for those regulated by the Federal bank regulatory agencies and the NCUA come under the jurisdiction of the FTC.


While the government auditors do not conduct routine compliance audits, they will perform an audit in response to a complaint. If your company is covered by the Red Flags Rule, non-compliance will result in a financial penalty. Below is a summary of Red Flags Rule Penalties for Non-Compliance:

  • Federal: The courts could inflict penalties of up to $2500 for each independent violation of the Rule.
  • State Enforcement: States are authorized to bring actions on behalf of their residents and may recover up to $1000 for each violation, and also recover attorney’s fees.
  • After Regulatory Warning: $11,000 per individual incident
  • Civil Liability: Consumers may be entitled to recover actual identity theft damages and fees of up to $3500 per violation. Identity theft lawsuits can result in massive financial losses, ruined business reputation, and loss of clients.

Program Audit and Certification Objectives

The primary objectives of the Red Flags Rule compliance audit conducted by IMI are to give company management, its oversight group or person, and regulators the assurance that the Identity Theft Prevention Program is complete and compliant with the Rule, or, provide recommendations to improve the Program. Although compliance with the Rule is mandatory, program certification is not a requirement under the law; however, government examination guidelines and audit programs often call for an independent audit by a qualified third party. Learn more about Identity Theft Prevention Program certification.

Red Flags Rule Audit Components

Identity Management Institute (IMI) has listed four general areas which must be assessed during the audit:

  1. Program Administration
  2. Risk Assessment Process
  3. Red Flag Management
  4. Program Management

Program Administration: The Rule requires the proper administration of the written Program to establish oversight, scope, objectives, responsibilities, reporting and timing. Program administration also requires the designation of a Program manager, periodic updates, independent audits, approval by the Board of Directors (BOD), a committee of the BOD, or senior management, appropriate staff training, and service provider oversight.

Risk Assessment Process: An initial risk assessment must be completed to identify the scope such as covered accounts and how identity theft might occur within the organization. Although the regulation identifies certain red flags which need to be addressed, each company must identify identity theft red flags within its own operations based on a comprehensive risk assessment. Subsequent risk assessments are necessary to ensure the Program is updated periodically and reflects changes in identity theft risks facing companies and their customers. Service provider risks must also be assessed.

Red Flags Management: Upon discovery of all identity theft red flags in the risk assessment process, necessary policies and procedures must be established, documented and communicated to detect, prevent and mitigate identity theft.

Program Management: Program management ensures established plans, policies and procedures are followed to effectively identify, detect, and prevent identity theft. Employee training, monitoring, event logging, lessons learn from internal and external events are addressed when managing the Program. Gathering and analyzing relevant information from all business areas, audit reports, and industry news is part of a comprehensive risk management process which may require Program updates and staff communication.

Please refer to the detailed examination guidelines for more information.

Auditor Accreditation Process

Interested audit organization may register with IMI and become an approved certification body to audit identity theft prevention programs. Accreditation ensures that registered certification bodies follow a pre-approved audit and certification approach designed by IMI. By joining IMI, registered audit organizations will gain the confidence of their clients and receive referrals by being listed on IMI website as registered auditors.

Accreditation requirements include active membership and CRFS designation by audit staff and managers.

Contact Us

Please contact IMI to discuss your Red Flags Rule compliance needs and application process for certification or accreditation. Please submit your inquiry.