Beginning on November 1, 2008, financial institutions and businesses that extend or arrange credit for customers will be required to have written identity theft prevention programs. The programs must meet the requirements of regulations issued by the Federal Trade Commission, federal banking agencies and the National Credit Union Administration under the so-called "Red Flag Rules." A key element of the Red Flags Rules is that boards of directors and senior managers must have oversight responsibility for the organizations' identity theft programs.
With regard to creditors, the Red Flag Rules are only meant to apply to those who regularly extend or arrange for credit and assignees of original creditors. This definition includes finance companies, automobile dealers, mortgage brokers, utility companies and telecommunications companies. It also includes non-profit and government entities when they defer payment for goods or services. Organizations that merely accept credit cards as forms of payment are not deemed to be "creditors" under the Red Flag Rules.
Even if an organization is a "creditor," the Red Flag Rules only apply to its "covered accounts." These are accounts that are used mostly for personal, family or household purposes and that involve multiple payments or transactions. Credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts and savings accounts are all covered accounts. However, certain business accounts are also included as covered accounts.
With regard to financial institutions, the Red Flag Rules apply to banks, credit unions or any entity that holds a "transaction account" belonging to a customer. A "transaction account" is a deposit or other account from which the owner makes payments or transfers. Checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers and share draft accounts are all transaction accounts.
For both creditors and financial institutions, the identity theft prevention program must provide for the identification, detection and response to patterns, practices or specific activities as "red flags" potentially indicative of identity theft. These red flags could include unusual account activity, fraud alerts on a consumer report or attempted use of suspicious account application documents. Oversight of third-party service providers is also required.