Monday, May 4, 2009

Red Flag 101

For those of you that might not be knowledgeable about "Red Flag", the Red Flag rules are our government's latest response to the identity theft crisis.

According to the rules, any company that extends credit in any fashion, must comply by implementing a complete program by August 1, 2009. What does this mean for the consumer? Well, hopefully it will mean that you can worry a little less about having your identity stolen; however, the ultimate responsibility rests with you. Under the rules the covered entities must put into place a program that can do three things:

1. Identify potential identity theft threats
2. Respond to those threats through an established set of guidelines and policies
3. Report the threats to the appropriate authorities.

Each covered entity must have a program in place that is approved by their board of directors and must appoint a "Red Flag Officer".

The Federal Trade Commission is the governing authority over the program. Each violation by a covered entity will be worth a penalty of $2500 as the rules stand right now.

Please feel free to post any questions or comments here and I will do my best to respond quickly and accurately.


The following was released by the FTC on Thursday, 04-30-09. You can view the entire document on at We will continue to keep you posted. KEN

For Release: 04/30/2009
FTC Will Grant Three-Month Delay of Enforcement of ‘Red Flags’ Rule Requiring Creditors and Financial Institutions to Adopt Identity Theft Prevention Programs

The Federal Trade Commission will delay enforcement of the new “Red Flags Rule” until August 1, 2009, to give creditors and financial institutions more time to develop and implement written identity theft prevention programs. For entities that have a low risk of identity theft, such as businesses that know their customers personally, the Commission will soon release a template to help them comply with the law. Today’s announcement does not affect other federal agencies’ enforcement of the original November 1, 2008 compliance deadline for institutions subject to their oversight.

“Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further,” FTC Chairman Jon Leibowitz said.

The Fair and Accurate Credit Transactions Act of 2003 (FACTA) directed financial regulatory agencies, including the FTC, to promulgate rules requiring “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. FACTA’s definition of “creditor” applies to any entity that regularly extends or renews credit – or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services. Accepting credit cards as a form of payment does not, by itself, make an entity a creditor. Some examples of creditors are finance companies; automobile dealers that provide or arrange financing; mortgage brokers; utility companies; telecommunications companies; non-profit and government entities that defer payment for goods or services; and businesses that provide services and bill later, including many lawyers, doctors, and other professionals. “Financial institutions” include entities that offer accounts that enable consumers to write checks or make payments to third parties through other means, such as other negotiable instruments or telephone transfers.

During outreach efforts last year, the FTC staff learned that some industries and
entities within the agency’s jurisdiction were uncertain about their coverage under the Red Flags Rule. During this time, FTC staff developed and published materials to help explain what types of entities are covered, and how they might develop their identity theft prevention programs. Among these materials were an alert on the Rule’s requirements,, and a Web site with more resources to help covered entities design and implement identity theft prevention programs, The compliance template will be available on this Web site.

The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 1,500 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s Web site provides free information on a variety of consumer topics.

Office of Public Affairs