FTC to Begin Enforcing “Red Flags Rule,” Which Requires Many Businesses to Implement Identity Theft Prevention Programs, on May 1st

April 9, 2009

On May 1, 2009, the Federal Trade Commission ("FTC") will begin enforcement of the new "Red Flags Rule," a little known regulation that likely impacts a surprisingly large number of business entities.

The Red Flags Rule, which was developed pursuant to the Fair and Accurate Credit Transactions Act of 2003[1] and is codified at 16 C.F.R. Section 681.2, requires that financial institutions and creditors with "covered accounts" develop and implement written identity theft prevention programs, which provide for the identification, detection, and response to patterns, practices, or specific activities – "red flags" – which could indicate identity theft.

Who Is Covered?

The Red Flags Rule applies to any financial institution or creditor holding a covered account. 

  • Under the Red Flags Rule, a financial institution is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a "transaction account" belonging to a customer.
  • A creditor is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit.  Examples of creditors include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies.  Non-profit and government entities are also deemed to be creditors where they defer payment for goods or services.
  • A covered account is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions.  Examples of covered accounts include, but are not limited to, credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts.  A covered account is also defined to include an account for which there is a foreseeable risk of identity theft, such as small business or sole proprietorship accounts.

Given the broad definitions of "creditor" (any entity that defers payments for goods or services) and "covered account" (any account involving multiple transactions that is primarily used for personal purposes), the Red Flags Rule will likely apply to many businesses in the United States.  In fact, the FTC has estimated as many as 11 million creditors will have to comply with the Rule, and has stated that the Rule is also applicable to non-profit organizations.

What Is Required?

  • Covered entities must develop and implement a written program that identifies and detects the relevant warning signs of identity theft by May 1, 2009.  The program must describe appropriate responses that would prevent and mitigate the identity theft and provide a plan to periodically update the program. 

Closely related to the Red Flags Rule are two other regulations that are also intended to prevent identity theft.  16 C.F.R. Section 681.3 requires credit and debit card issuers to develop and implement policies and procedures to determine the validity of a change of address request that is followed closely by a request for an additional/replacement card.  Furthermore, 16 C.F.R. Section 681.1 requires all users of consumer credit reports[2] to develop and implement policies and procedures that enable them to form a reasonable belief that a consumer report relates to the consumer about whom they have requested the report, when they receive a notice of address discrepancy from a consumer reporting agency.  If a user regularly and in the ordinary course of business furnishes information to a consumer credit agency, the user must also forward the correct address to the consumer credit agency.  The FTC began enforcing these related regulations on November 1, 2008.

What Are the Penalties for Noncompliance?

The FTC may impose monetary penalties of up to $2,500 per knowing violation of the Red Flags Rule.  Although the FTC does not appear to have commented on how it would calculate such penalties, it is possible that the FTC could impose a penalty of $2,500 for each covered account that a noncompliant entity maintained.  Thus, even small businesses face the potential of large monetary penalties for noncompliance with the Red Flags Rule. 

Consequently, it is extremely important for all businesses to determine whether they are a covered entity, and if so, develop and implement an identity theft program by May 1, 2009.



  [1]   Which is an amendment to the Fair Credit Reporting Act.

  [2]   The term "user" refers to any user of a consumer credit report, and encompasses not only the more traditional types of creditors – who use consumer reports in conjunction with activities such as the issuance of credit cards, loans, and mortgages – but also includes entities that obtain consumer credit reports for the purpose of making employment-related decisions, and financial institutions.

  Gibson, Dunn & Crutcher LLP

Gibson, Dunn & Crutcher LLP lawyers are available to assist in addressing any questions you may have regarding these issues. Please contact the Gibson Dunn attorney with whom you work or Karl G.  Nelson (214-698-3203, [email protected]) or M. Sean Royall (214-698-3256, [email protected] in the Dallas office.

© 2009 Gibson, Dunn & Crutcher LLP

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.