Red Flags Rule (RFR)

The Red Flags Rule (RFR) is a set of United States federal regulations that require certain businesses and organizations to develop and implement documented plans to protect consumers from identity theft.

Any creditor or financial institution that allows covered accounts must implement a program for Red Flags Rule. For the purposes of the regulations:

• A covered account is any consumer account that allows payment to be deferred, permits multiple payments or poses a reasonably foreseeable risk to consumers or businesses from identity theft.

• A creditor is any business or organization that regularly provides goods or services and bill customers later.

• A financial institution is any business or organization that, directly or indirectly, holds a transaction account belonging to a consumer.

RFR requires that written plans be specifically tailored to the size, nature and complexity of the applicable business and consider both trends in the marketplace and any historical experiences dealing with identity theft.

Documentation must address these four criteria:

1. What patterns, practices, or specific activities the business or organization will identify as red flags indicating potential identity theft.

2. How the business or organization intends to detect the red flags they have identified.

3. How the business or organization will respond to the detection of a red flag they have identified.

4. How the business or organization intends to evaluate the success of their program and and maintain it in the future.

Each plan must be formally authorized and adopted by the entity's governing body or senior management. The plan must state who is responsible for implementing and administering it. It must also address how the business or organization will train their staff, audit compliance and generate annual assessment reports.

The regulations, which were developed by the United States Federal Trade Commission, along with the Office of the Comptroller of the Currency (OCC), FDIC, Federal Reserve and several other federal agencies, fall under the Fair and Accurate Credit Transaction Act of 2003 (FACT Act). In the event of an RFR violation, the regulations state that the FTC may commence a civil action and seek pecuniary penalties not to exceed $2,500 per infraction. Failure to comply with Red Flag Rules can also serve as the basis for private civil and/or class action lawsuits.

Creditors and financial institutions that allow covered accounts must be in compliance with Red Flags Rule by June 1, 2010.

This was last updated in November 2009

Dig Deeper on Risk management and governance