Regulations Require Financial Institutions and Creditors to Have Identity Theft Prevention Programs

Financial institutions and creditors are now required to develop and implement written identity theft prevention programs under the new Red Flags Rules.

The Red Flags Rules are part of the Fair and Accurate Credit Transactions (FACT) Act of 2003. Under these Rules, financial institutions and creditors with covered accounts must have identity theft prevention programs in place by November 1, 2008, to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft.

The Commission staff is launching an outreach effort to explain the Rules in greater detail. It has now published a general alert on what the Rules require, and, in particular, an explanation of which businesses - financial institutions and creditors - are covered by the Rules.

We want financial institutions and creditors to know that they are covered by the Red Flags Rules and to understand what is required of them, said Lydia Parnes, Director of the Bureau of Consumer Protection at the Federal Trade Commission. We encourage all organizations that have ongoing accounts or relationships with consumers to keep an eye out for red flags that signal identity theft. But this rule does not apply to every business or employer; only those entities that are considered creditors or financial institutions are subject to the Red Flags Rules.