The Federal Trade Commission Red Flag Rules: What Your Institution Needs to Know

The Federal Trade Commission  has established that roughly nine million Americans are victims of identity theft each year.

To help reduce these numbers, the Federal Trade Commission  developed a series of red flags to help your organization identify fraud attempts before criminals can succeed.

The Federal Trade Commission  Red Flag Rules are the rules governing the protection of credit card information.

It is the responsibility of the company to be aware of when an unauthorized person is using their customer’s account.

For businesses with customers that have given them their credit card information, this is a requirement they must meet to avoid penalties from the Federal Trade Commission .

What is the FTC Red Flags Rule?

The Federal Trade Commission  developed a strategy regulation that requires businesses to create and implement an identity theft program to help prevent and detect possible identity theft.

Under the Red Flags law, organizations are required to write up an identity theft prevention program that helps identify any relevant “red flags” that may indicate a consumer is a victim of identity theft.

The program is meant to help organizations identify suspicious patterns and take the appropriate steps to prevent the consequences of identity fraud for consumers.

Avoid common compliance risks by hiring a professional compliance auditing and risk assessment team to help create your company’s Red Flags policy.

What is considered a red flag under the Red Flags Rule?

A Red Flags program must include reasonable policies and procedures to identify red flags that may occur in company operations.

Financial institutions and creditors can use the following categories as red flag examples:

  1. Warnings, alerts, or notifications from a consumer reporting agency
  2. Suspicious documents
  3. Unusual or suspicious activity related to a covered account
  4. Suspicious personal information such as inconsistent name or address
  5. Notifications from customers, law enforcement, or other businesses and victims of identity theft regarding possible theft of specific accounts

What are the four elements of the Red Flag Rule?

The financial institution needs to comply with the Red Flags Rule by doing the following:

  1. Identify red flags of identity theft. The program should include policies and procedures to identify red flags which may occur in daily operations. Red flags represent suspicious patterns and practices that can be clues that identity fraud activity occurred.
  2. Take steps to recognize red flags when they are found. It should be designed to detect red flags and allow for easy identification of inconsistencies that may indicate foul play.
  3. Develop a plan for addressing red flags when detected. The plan and appropriate actions to be taken should be written in the program.
  4. Continuous update of the program to address newer identity theft opportunities and strategies used by criminals. The Red Flags policy should detail how the institution plans to keep the program current to reflect these new and emerging threats. An example could be to keep abreast of new threats via email subscriptions to helpful industry resources.

How many red flags can be identified?

The Red Flags Rule lists 26 identity theft flags that your institution should consider when creating an effective identity theft prevention and training program.

These flags aren’t just important for compliance reasons, but they help form the outline of the identity risk assessment.

Your institution should consider these 26 flags and choose the ones that apply specifically to your business for helping identify your program.

  1. Consumer fraud report alerts
  2. Notice of credit freeze in response to a request for a consumer report because the person that applied for the freeze isn’t as likely to apply for credit
  3. Unusual credit activity such as an increased number of new accounts or spending
  4. Identification documents appear altered or forged
  5. Photograph on ID is inconsistent with the customer’s appearance
  6. Information on ID is inconsistent with information being provided by the individual attempting to open the account
  7. Information on ID is inconsistent with what’s on file
  8. Application appears forged
  9. Personal information is lacking or inconsistent across multiple sources
  10. Date of birth and social security number range lack a correlation
  11. Personal information is already associated with other identity theft incidents
  12. Suspicious information is provided such as an address at a P.O. box or prison
  13. The social security number submitted matches that of another person or customer
  14. Phone number or address matches that of another person or existing customer
  15. Persona attempting to open the account isn’t able to supply additional identifying information in response to an incomplete application
  16. Personal information is inconsistent with information on file at financial institutions or with creditors
  17. An existing customer isn’t able to answer the challenge questions
  18. The creditor receives a request for additional users on an account shortly after a change of address was issued
  19. A notice of address discrepancy is reported by a consumer reporting agency
  20. Most of or all of a customer’s credit is used for cash advances, jewelry, or electronics and the first payment is not processed
  21. There’s a drastic change in payment patterns, use of available credit, or spending patterns
  22. A long-time inactive account suddenly becomes unusually active
  23. Mail sent to the customer repeatedly is returned despite ongoing transactions on the account
  24. Financial institution or creditor is notified that the customer is not receiving paper account statements
  25. Financial institution or creditor is notified of unauthorized changes or transactions on the customer’s account
  26. Financial institution or creditor is notified that the account has been opened fraudulently

Who do the red flags apply to?

The FTC requires businesses defined as financial institutions or creditors to implement a written Red Flag Program to detect, prevent, and mitigate identity theft within covered accounts.

These consumer accounts can include:

  • accounts that permit multiple payments or transactions
  • credit card accounts
  • margin accounts
  • checking or savings accounts
  • any account reasonably foreseeable to be a potential victim of identity theft

The FTC requires these institutions and creditors to conduct periodic risk assessments to determine if they handle any accounts covered under the law.

Financial Institutions

The Red Flags Rule identities any of the following as entities that the law applies to:

  • state or national banks
  • mutual savings banks
  • federal or state savings and loan associations
  • federal credit unions
  • any person that holds a transaction account that belongs to a consumer


Creditors are generally defined as entities that give advances or loans of money to consumers. 

This does not include entities that give advances for expenses relating to a service provided by the institution.

Here are some criteria your institution can review to help understand if you fall under the Red Flag Rules requirements.

Does your institution regularly:

  • defer payments for goods and services?
  • grant or arrange credit?
  • participate in decisions related to credit terms such as renewing, extending, or setting?

If your answer was “no” to all three questions, the rule does not apply to your institution and you may breathe easy.

If you answered “yes” to one or all of the questions, your institution should review the following:

Does your institution request, get, and use consumer reports regarding credit transactions?

Is information transferred to credit reporting agencies about credit transactions?

Are funds provided to someone that must repay them with funds, property, or collateral?

If you said no to all of these, the Red Flag Rules do not apply to your institution.

If you said yes, your business is considered a creditor and needs to abide by the law.

Covered Accounts

Covered accounts are generally accounts that a financial institution or creditor offers or maintains for personal, family, or household purposes.

It involves or is designed to permit multiple payments or transactions.

Also, accounts that pose a reasonable risk to consumers of identity theft are covered accounts.

What are the consequences for non-compliance with the Red Flags Rule?

Penalties for non-compliance with the Red Flags Rule are $3,500 in civil fines per violation.

Each infraction can also cost your institution up to $2,500 due to the FTC.


Completing a red flags risk assessment or creating a policy is not enough to follow the regulation.

It should be incorporated into daily business operations.

Having a strong program will help your institution ensure the safety of its customers against identity fraud.

Being vigilant and following the procedures listed above can help protect against these types of crimes.

If you are concerned about protecting your customers from identity theft and have identified that your institution falls under the umbrella of the rule, contact our experienced team at RADD, LLC to help bring you up to speed!