Triware Networld Systems 

27 Years Of Around The Clock Superior Network Systems Service & Support!


   Back ] Up ] Next ]



Information Security & Privacy Regulatory Compliance: The Red Flags Rules

If you are a financial institution or a creditor, you should already know about the Red Flags Rules and how it affects your organization.  Even if you are not a financial institution, if you don't know what Red Flags Rules are, you will want to keep on reading.

Many institutions which would not normally be affected or regulated by the Federal Trade Commission (FTC) are in fact now regulated by the FTC as it relates to identity theft, based on the Red Flags Rules.  If you are deemed to be a creditor, you will be affected by the Red Flags Rules.  The penalty for being out of compliance with these rules is ten times more damaging than HIPAA, thus this is serious business.

The good news is that ‘accepting credit cards as a form of payment does not in and of itself make an entity a creditor.’   That activity does make you vulnerable to PCI DSS which is another regulation that has been discussed in a different article.

For the purposes of the Red Flags Rules, a creditor includes “finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Where non-profit and government entities defer payment for goods or services, they too are to be considered creditors.”

Let’s see if your business is a creditor.

Your business or organization is a “creditor” if you regularly:


extend, renew, or continue credit;


arrange for someone else to extend, renew, or continue credit; or


are the assignee of a creditor who is involved in the decision to extend, renew, or continue credit.

If you are a creditor and you have a special type of account called a “covered” account under the rule, then you are subject to the Red Flags Rules.

If your business is neither a financial institution nor a creditor, congratulations you are done with this article and can stop reading.

Let’s see if your business has “covered” accounts.

Do you open, maintain or report on accounts for your customers that are used mostly for personal, family, or household purposes and that involve multiple payments or transactions?

Examples of this type of account (covered accounts) are:


Credit card accounts


Mortgage loans


Automobile loans


Margin accounts


Cell phone accounts


Utility accounts


Checking accounts


Saving accounts

These types of accounts are considered “covered accounts” and fall under the Red Flags Rules.

In addition, any account “for which there is a foreseeable risk of identity theft” such as a sole proprietorship account is subject to the Red Flags Rules.

If you think that any of your business activities involve servicing or monitoring these types of accounts, you are regulated by the Red Flags Rules.

Okay, I’m subject to yet another regulation, so how do I address it?

The good news is that your response can be based on your organization’s size and activities.  The bad news is that the Red Flags program that you need to implement is described in the November 9th 2007 Federal Register.  Fortunately, you’re reading this article which will hopefully help you to understand the Rules and become compliant.

Wait, wait, wait -- this sounds like too much work! What if I just ignore the Rule?

No problem, the penalty for each violation of the Red Flags Rule is $2500.  Moving on...

To address the Red Flags Rules, you are going to need a written policy and procedure to identify identity theft within your customers’ accounts.  The ‘red flags’ in the Red Flags Rules are activities that, taken separately or as a whole, could lead one to suspect that identity fraud is taking place on an account your business manages or monitors.

Go to for a clear example of Red Flags Rules (Special thanks to Bankers Online).

You may also go to the source

Page 63774 supplement A to Appendix A (Special thanks to the Federal Government).

Okay, let us get to the main points you will need to comply with:

bulletYou will need a written identity theft policies and procedures program. 
bulletIn this program, you should identify in writing the Red Flags that are relevant to your organization.  
bulletYou may use your existing polices and programs (for example your information security program) but you will need to create an identity theft section.  
bulletYou will need to create procedures within your organization that detect the Red Flags you have identified as relevant.
bulletYou will need a written procedure on how to respond to the detection of Red Flags.
bulletYou will need to update the program as your company changes and as alerts come to you from credit report agencies, the FTC, or other agencies.
bulletThe Board of Directors must approve and oversee the identity theft program, and they are ultimately responsible for its appropriate use.  They may of course delegate the activities, but they may not transfer the responsibility for the success of the program to anyone else.
bulletThere are some legal requirements for some institutions concerning the reporting of suspicious activity or the granting of credit when fraud is detected.  You will need to see your legal counsel for more detail.  (I know I hate it too, but even if I were a lawyer, I couldn’t give you legal advice in this article.)


Here is a link with an example of an identity theft program. Yours will need to be tailored to your specific organization’s activities.

While the Red Flags Rules can be complex, hopefully this article has provided you with a good overview of the types of activities you will need to engage in to become compliant with these Rules.  You should also have a good understanding of the risks you take by not complying with this new FTC regulation.

Feel free to contact us if you have questions regarding becoming compliant with these new and necessary rules for safer commerce.

By John Barchie, Senior Information Security Governance Fellow

John Barchie Biography

John Kenneth Barchie, CISM, CISSP, CNE, MCSE is an Information Technology and Information Security Expert with over 15 years in the high-tech and financial industries. John has been engaged to manage, audit, review and improve over 200 information technology departments and to charter corporate security functions.

Back to Top

Sign up for TNS News Letter

Information Request Form

Select the items that apply, and then let us know how to contact you.

Request a Senior Partner contact me
Request a Web Meeting and / or Web Demo
Refresh >>
Enter code

Business Partners


© Copyrights Triware Networld Systems, L.L.C. ® 1991-2018