FTC Issues Amended Rule on Identity Theft ‘Red Flags’

The Federal Trade Commission (FTC) published an interim final rule on identity theft “red flags” that narrows the definition of creditor.

In December 2010, Congress enacted legislation which narrows the scope of entities covered as creditors under the Red Flags Rule. The amended definition of “creditor” is designed to ensure that the Red Flags Rule is consistent with the Fair Credit Reporting Act. The rule now limits the definition of ‘creditor’ to those that ‘regularly and in the ordinary course of business’:

  1. Obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction;
  2. Furnishes information to a consumer reporting agency in connection with a credit transaction; or
  3. Advances funds to a person, or on behalf of a person, where that person is obligated to repay the funds.

Under the rule, Red Flag Programs must have these four parts:

  1. The program must include reasonable policies and procedures to identify signs—or “red flags”—of identity theft in the day-to-day operations of the business.
  2. The program must be designed to detect the red flags of identity theft identified by the business.
  3. The program must set out the actions the business will take upon detecting red flags.
  4. Because identity theft is an ever-changing threat, a business must re-evaluate its program periodically to reflect new risks from this crime.

The interim final rule will be effective on Feb. 11, 2013, which is also the deadline for submitting comments on the interim final rule.


Questions? Contact the Compliance Hotline: 1.800.546.4465, compliance@nwcua.org.

Posted in Around the NW, Compliance News, Marketing & Communications.