Beginning November 1, 2009, the Federal Trade Commission (FTC) will enforce the Red Flags Rule requiring financial institutions and creditors with covered accounts to implement a written identity theft prevention program that identifies the company's Red Flags—patterns, practices, and activities that indicate the possible existence of identity theft in connection with its covered accounts—as well as how it will detect identity theft and respond appropriately.

Technically, the rule went into effect on January 1, 2008, and compliance with the rule became mandatory on November 9, 2008. However, the FTC ultimately decided to delay enforcement until November 1, 2009, in order to give small businesses and other companies more time to determine whether they are covered by the rule and what they must do to comply.

But even with that delay, and with the enforcement deadline rapidly approaching, many businesses still need to determine whether they are financial institutions or creditors with covered accounts and therefore are obligated to familiarize themselves with the various categories of Red Flags and to adopt an identity theft prevention program.

The rule defines a "financial institution" as 1) a state or national bank, 2) a state or federal savings and loan association, 3) a mutual savings bank, 4) a state or federal credit union, or 5) any other entity that directly or indirectly holds a "transaction account" belonging to a consumer. A transaction account is an account that allows the owner to make payments or transfers, so mutual funds and brokerages that offer accounts with check-writing privileges are also "financial institutions."

Under the rule, the definition of "creditor" is broad and includes businesses or organizations that 1) regularly provide goods or services first and allow customers to pay later; 2) regularly grant loans, arrange for loans or the extension of credit, or make credit decisions; or 3) regularly participate in the decision to extend, renew, or continue credit, including setting the terms of credit. Examples of groups that may fall within this definition are trade schools, colleges, universities, utilities, health care providers, landlords, telecommunications companies, finance companies, mortgage brokers, and automobile dealers or retailers that offer financing or collect or process credit applications for third-party lenders.

The definition of a covered account includes two categories of accounts. The first type is a consumer account offered or maintained primarily for personal, family, or household purposes that involves, or is designed to permit, multiple payments or transactions. Examples are a credit card account, mortgage or automobile loan, cell phone or utility account, or checking or savings account.

The second type is any other account—even a non-consumer account—that is offered or maintained for which there is a foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft. In determining whether accounts come under this standard, an institution or creditor should consider the methods it provides for opening and accessing accounts and its previous experience with identity theft.

A covered entity must be familiar with the various categories of Red Flags. Those categories include warnings from third parties, such as credit bureaus and fraud detection services; the presentation of suspicious documents, such as an ID card that appears to have been altered or forged; the presentation of suspicious personal information, such as an invalid Social Security number; the unusual or suspicious use of an account, such as nonpayment when there has been no history of late or missed payments; and notification of identity theft or possible identity theft, such as a notice from a customer or the police.

Designing an identity theft prevention program then requires a covered entity to do the following:

Step One: Identify relevant Red Flags for covered accounts and incorporate them into the program

Step Two: Describe how the company will detect Red Flags

Step ThreeDescribe how the company will respond to Red Flags that are detected to prevent and mitigate identify theft

Step Four: Describe how the company will re-evaluate and update its program periodically to reflect changes in risks to customers or the safety and soundness of the financial institution or creditor from identity theft 

The written identity theft prevention program must describe how it will be administered, include staff training as appropriate, and provide a method for monitoring the work of third-party service providers. A company's board of directors has to approve the program and any material changes to it. If a company does not have a board, the program must be approved by an appropriate senior-level employee.

The identity theft program must be tailored to the entity's size, complexity, and nature of operations. However, the Red Flags Rule does not require that specific practices or procedures be put in place to combat identity theft, giving the business or organization the flexibility to tailor its program according to such things as its own experiences and the particular risks it faces. The FTC will assess compliance based on the reasonableness of a company’s policies and procedures in light of these factors.

In an enforcement action the FTC can seek both monetary civil penalties and injunctive relief for violations of the Red Flags Rule. Currently, the maximum civil penalty is $3,500 per violation. (There is no private right of action to enforce the Red Flags Rule.) To lessen the risk of any such action, any business that has not yet made the necessary determinations should act immediately, and, if necessary, give priority to the preparation and implementation of an appropriate identity theft prevention policy.

For assistance in determining whether your business or specific accounts are covered by the Red Flags Rule or in identifying relevant Red Flags and preparing an appropriate identity theft prevention program, contact John L. Culhane, Jr. (215.864.8535 or, Shannon D. Farmer (215.864.8221 or, or Jean C. Hemphill (215.864.8539 or

Copyright © 2009 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.