The IT Law Wiki


The Identity Theft Red Flags Rule, issued in 2007, requires creditors and financial institutions to implement identity theft prevention programs.[1] It is implemented pursuant to the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). The FACT Act amended the Fair Credit Reporting Act (FCRA) by directing the FTC, along with the federal banking agencies and the National Credit Union Administration, to develop Red Flags guidelines. These guidelines require creditors and financial institutions with covered accounts to develop and institute written identity theft prevention programs.

According to the FTC, the identity theft prevention programs required by the rule must provide for:

Possible "red flags" could include:

• unusual use of — or suspicious activity relating to — a covered account; and • notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts.[3]

The deadline for creditors and financial institutions to comply with the Red Flags Rule was originally set at November 1, 2008. However, many of the organizations affected by the Red Flags Rule were not prepared to institute their identity theft prevention programs by this date. Therefore, the FTC moved the deadline to May 1, 2009,[4] and then further extended the compliance date to November 1, 2009.[5] Most recently, the FTC extended the enforcement date to June 1, 2010,[6] and indicated that extension was, in part, a result of the debate over whether Congress wrote the FACT Act Red Flags provision too broadly by including all entities qualifying as creditors and financial institutions.

The effect that the Red Flags Rule will have on the prevalence of identity theft remains uncertain. One potential effect is that the Red Flags Rule may help creditors and financial institutions prevent identity theft by identifying potential lapses in security or suspicious activities that could lead to identity theft. This could possibly lead to an overall decrease in the number of identity theft incidents reported to the FTC, as well as the number of identity theft cases investigated and prosecuted. Once detected, the Red Flags Rule requires that the creditor or financial institution respond to the identified red flag. One response option that creditors and financial institutions might include in their prevention programs is to notify consumers or law enforcement of data breaches that could potentially lead to the theft of consumers’ personally identifiable information. While notification is not a required element in the identity theft prevention programs,[7] early notification could lead to consumers taking swift action to prevent identity theft or mitigate the severity of the damage that could result if they had not been notified as quickly.

Other questions about the effects of the Red Flags Rule stem not from its possible effects on the prevalence of identity theft, but from its effects on the approximately 11.1 million creditors and financial institutions required to implement the identity theft prevention programs.[8] The FTC estimates the total annual labor costs (for each of the first three years the Rule is in effect) for all creditors and financial institutions covered by the rule to be about $143 million.[9] This financial burden would be absorbed by the responsible creditors and financial institutions.

Further, some entities considered creditors or financial institutions under the Rule have expressed concern that the burden of the rule overlaps with burdens already incurred under other regulations.[10] For example, the American Bar Association (ABA) has expressed concern over whether lawyers are considered “creditors” under the Red Flags Rule because they generally do not require payment until after services are rendered. On October 29, 2009, the U.S. District Court for the District of Columbia ruled that the FTC’s interpretation of the Fair and Accurate Credit Transactions Act of 2003 overreaches, and its application to lawyers is unreasonable.[11]

Further, the American Medical Association has indicated that physicians should be exempt from the Red Flags Rule because of patient privacy and security protections required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).[12] In addition, there may be concern that to avoid being considered creditors, some physicians could possibly require full payment at the time of service (rather than allowing deferred payments). This could in turn lead to some patients avoiding potentially necessary treatment if they are unable to pay in full at the time of service; on the other hand, the rule may have no effect on patients seeking medical treatment.

Legislation in the 111th Congress would place limits on the “creditors” and “financial institutions” currently covered by the Red Flags Rule.[13] The actual effects of the Red Flags Rule — including effects on identity theft rates as well as any indirect consequences — will not be evident until after full implementation by creditors and financial institutions. The 111th Congress may consider monitoring the effects of the impending Red Flags Rule on subsequent identity theft rates.


  1. The Red Flags Rule is listed at 16 C.F.R. §681. The Red Flags Rule was issued jointly by the Federal Trade Commission (FTC); the Office of the Comptroller of the Currency, Department of the Treasury; the Board of Governors of the Federal Reserve System; the Federal Deposit Insurance Corporation; the Office of Thrift Supervision, Department of the Treasury; and the National Credit Union Administration. The final rules are available at "Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003; Final Rule," 72 Fed. Reg. 63718-63775 (Nov. 9, 2007).
  2. Federal Trade Commission, "Agencies Issue Final Rules on Identity Theft Red Flags and Notices of Address Discrepancy," press release (Oct. 31, 2007) (full-text).
  4. Federal Trade Commission, Press Release, "FTC Will Grant Six-Month Delay of Enforcement of 'Red Flags' Rule Requiring Creditors and Financial Institutions to Have Identity Theft Prevention Programs" (Oct. 22, 2008) (full-text).
  5. Federal Trade Commission, Press Release, "FTC Will Grant Three-Month Delay of Enforcement of 'Red Flags' Rule Requiring Creditors and Financial Institutions to Adopt Identity Theft Prevention Programs" (Apr. 30, 2009) (full-text).
  6. Federal Trade Commission, Press Release, "FTC Extends Enforcement Deadline for Identity Theft Red Flags Rule," (Oct. 30, 2009) (full-text).
  7. The FTC has published a guide to assist businesses in creating the identity theft prevention programs — Federal Trade Commission, "Fighting Fraud With the Red Flags Rule: A How-To Guide for Business" (Mar. 2009) (full-text).
  8. Identity Theft Red Flags Final Rule, at 63741.
  9. Id. Cost estimates are provided by OMB in three-year increments. Therefore, cost estimates for subsequent years are unavailable and could change from the estimates provided for the first three years.
  10. Legislation has been introduced in the 111th Congress that would narrow the scope of entities considered "creditors" under the FACT Act. H.R. 2345, for example, would exempt health care practices with 20 or fewer employees from being considered creditors under the Red Flags Rule.
  11. American Bar Association, “Statement of ABA President Carolyn B. Lamm in American Bar Association vs. Federal Trade Commission, ABA Applauds Injunction, Summary Judgment in Red Flags Suit,” press release (Oct. 29, 2009).[1]
  12. Letter from American Medical Association et al. to William E. Kovacic, Chairman, U.S. Federal Trade Commission (Sept. 30, 2008).[2]
  13. For example, H.R. 3763, passed by the House on October 20, 2009, would, among other things, exclude health care, legal, and accounting practices with twenty or fewer employees from the meaning of a “creditor” under the Red Flags Rule.

See also[]