What are the "Red Flag" Rules?
The rules implement sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003.
They require "each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program (Program) for combating identity theft in connection with new and existing accounts. The Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft."
What are basic elements of an Identity Theft Prevention Program?
According to the FTC's Red Flags Rule How To Guide for Business, there are four basic elements of and Identity Theft Prevention Program?
First, your Program must include reasonable policies and procedures to identify the "red flags" of identity theft you may run across in the day-to-day operation of your business. Red flags are suspicious patterns or practices, or specific activities, that indicate the possibility of identity theft. For example, if a customer has to provide some form of identification to open an account with your company, an ID that looks like it might be fake would be a "red flag" for your business.
Second, your Program must be designed to detect the red flags you've identified. For example, if you've identified fake IDs as a red flag, you must have procedures in place to detect possible fake, forged, or altered identification.
Third, your Program must spell out appropriate actions you'll take when you detect red flags.
Fourth, because identity theft is an ever-changing threat, you must address how you will re-evaluate your Program periodically to reflect new risks from this crime.