Red Flag Rules

In order to help prevent identity fraud, businesses that provide goods and services on credit to the public are required to create Red Flag Rules. Red Flag Rules are a set of guidelines formulated to identify possible risks to customer information and to create guidelines and business practices to deal with these risks. 

Any business that provides goods or services on credit to consumers is required to develop Red Flag Rules. This includes not only banks and financial institutions, but also any business that takes a consumer’s credit information, for the granting of a loan or the extension of credit. This requirement applies not only to consumer accounts, which are accounts created for personal or household use, but also to commercial accounts, created for a business use, that create a foreseeable risk to a consumer account.

Businesses are required to create a written program. The program must first identify potential risks to consumer information, such as whether account information is accessible over the Internet or via the telephone, as well as other computer security issues. The program must then identify potential “red flags” indicating consumer information may be at risk, such as fraud alerts received from credit reporting agencies, suspicious documentation used to open an account, or any suspicious account activity.

Once the “red flags” are identified written procedures need to be developed to deal with these “red flags” when they arise. The procedures need to create appropriate responses to minimize any harm done.

Businesses should designate a Red Flag Compliance Officer. This person should be tasked with developing a business’ Red Flag Rules, educating its employees and the monitoring and periodic update of the Rules.