How to Comply With the FTC's Red Flag Rules

Study identity theft and Red Flag rules. Before an organization can develop and implement a written Red Flag program, it must understand identity theft and Red Flag rules. Identity theft is the unauthorized use of another person's identity or personal information. Instances can include applying for a loan or using someone's account without his permission. Red Flag rules fall into five categories of identity-theft warning signs. These include: alerts, notifications or warnings from consumer reporting agencies; suspicious documents; suspicious personal information such as a suspicious address; unusual account activity; notices from customers, law enforcement, victims of identity theft, or other businesses about possible identity theft on covered accounts.

Develop your Red Flag program. As part of the Red Flag rules, financial institutions and creditors must have written programs or procedures for detecting, preventing and dealing with instances of identity theft. Financial institutions include banks, savings and loans (S&Ls), credit unions and any other entity that holds consumer transaction accounts. Organizations have the flexibility to design and implement their own plans based on the size, complexity and nature of their business. These plans, however, must effectively address and mitigate identify theft. Put together a written program that allows the organization to address possible instances of identity theft. This program should provide instructions such as how to proceed if identity theft is suspected regarding an account. This can include reporting the account to a manager and suspending account activity or placing a freeze on the account.

Implement your Red Flag program. This should include training to educate staff on the Red Flag program. Any staff members who have access to customer accounts or who may be in a position to detect, prevent or mitigate identity theft should be part of this training. Red Flag rules require your Red Flag program to be managed by the board of directors or senior employees. The program should also provide oversight to make sure it is followed and remains effective. Updates should be made to reflect any changes in identity theft risks.