Harland Clarke Home

Red FlagThe Facts About FACTA’s
Identity Theft “Red Flag” Rules

The information provided about FACTA and Red Flag rules is not legal advice. If legal advice is required, the services of a legal professional should be sought.

November 1 is the deadline for complying with Section 114 of FACTA (Fair and Accurate Credit Transactions Act of 2003), also known as the “Red Flag” rules. If that fact has you ready to wave the white flag, Harland Clarke can help. Delivering Value recently asked Buddy Allen, senior product specialist in marketing with Harland Clarke, some questions about the Red Flag rules. (Buddy is not a lawyer and his comments below are not legal advice.)

How Prepared Are You?

In early May, Harland Clarke conducted an online survey of compliance officers regarding their preparation process for the November 1, 2008 FACTA Red Flag compliance deadline. The results may surprise you.

  • Very few respondents (only 13%) felt extremely knowledgeable about Red Flag legislation. The majority (74%) felt they were “somewhat knowledgeable” about it.

  • Most (62%) had not yet started preparing their Red Flag compliance program, or were in the very early stages. This was especially true with smaller financial institutions. About a third (34%) were well under way in the process, and a small minority of early birds (4%) had already completed their compliance planning.

  • Nearly two-thirds (64%) of respondents expressed a need for outside assistance in developing their FACTA compliance plan.

  • Four in 10 respondents do not currently offer an identity theft recovery service, but expressed interest in providing this service to account holders.

DV: What are the Red Flag rules? What are the requirements?

BA: In October 2007, federal financial institution regulatory agencies and the Federal Trade Commission issued rules that require financial institutions and creditors to develop and implement an identity theft prevention program. According to regulators, “the program must include reasonable policies and procedures for detecting, preventing and mitigating identity theft and enable a financial institution or creditor to: identify relevant patterns, practices and specif c forms of activity that are ‘red flags’ signaling possible identity theft and incorporate those red fl ags into the program; detect red fl ags that have been incorporated into the program; respond appropriately to any red fl ags that are detected to prevent and mitigate identity theft; and, ensure the program is updated periodically to reflect changes in risks from identity theft.”1

DV: Who must comply?

BA: The rules state that “financial institutions and creditors that offer or maintain ‘covered accounts’ must develop and implement a written program. A covered account is (1) an account primarily for personal, family or household purposes, that involves or is designed to permit multiple payments or transactions, or (2) any other account for which there is a reasonable foreseeable risk to customers or the and soundness of the financial institution or creditor from identity theft.”2

DV: What are some of the red flags that need to be monitored?

BA: The guidelines provide 26 examples of red flags. Some of them include: “alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services; the presentation of suspicious documents; the presentation of suspicious personal identifying information, such as a suspicious address change; the unusual use of, or other suspicious activity related to, a covered account; and notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the financial institution or creditor.”2

DV: What should financial institutions do to prepare for the November 1 deadline?

BA: Financial institutions should have a cohesive written policy, approved by its board or senior management that describes the various red fl ags they will detect as well as the resulting processes that must be followed once one of those red flags has been detected.

DV: What are some of the compliance challenges facing financial institutions?

BA: Financial institutions must educate all their employees to look for red flags across consumer and small business accounts including IRAs, investments, mortgages, loans, etc. A second challenge is updating the plan periodically in order to keep up with the changing risks to consumers. One way to do this is by monitoring trends, such as collecting and analyzing red flag data. Financial institutions may not currently have a tool in place that allows them to easily collect and analyze this data.

DV: What is the first step for financial institutions in developing an identity theft prevention program?

BA: The first step is to form a Red Flag compliance team made up of executive and senior-level management. The rules specifically call for “oversight by the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management.”2

DV: How time-consuming will it be for most financial institutions to comply with the new regulations?

BA: It will depend upon the size of the institution, the documentation already in place for identity validation processes, and the knowledge level of the current staff. The creation of the written plan will require input from all departments that service ‘covered accounts.’

DV: What is the biggest mistake a financial institution can make in the compliance process?

BA: Not working as one cohesive group to come up with a plan. It’s important to take an overall organizational perspective on this. That is why it must be approached from a corporate view, allowing for everyone’s input, building a plan and a process that is efficient and effective across the entire organization.

Click to zoom in:

Knowledge Chart Planning Chart   


1 FDIC joint press release: “Agencies Issue Final Rules on Identity Theft Red Flags and Notices of Address Discrepancy” 31 Oct. 2007
2 http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf. The Guidelines provide 26 examples of red flags.