Masthead web

FTC Red Flags Rule

The FTC "Red Flags" Rule requires that certain businesses and organizations develop, implement and administer written Identity Theft Prevention Programs.  Identity Theft concerns a fraud committed or attempted using the personal identifying information of another person without authority. Personal Identifying Information (PII) means any name or number that may be used, alone or in conjunction with any other information, to identify a specific person. This includes but is not limited to, such information as date of birth, Social Security number, license number and any unique electronic identification number. Notably, the definition includes unique biometric data such as a fingerprint, voice print or other physical representation. This definition differs in some respects from the definition of Personal Information (PI) under Massachusetts' new Identity Theft regulations, 201 CMR 17.00

Warning: Applicable to more than traditional financial institutions

The Red Flags Rule applies to "financial institutions" and "creditors."  According to the FTC, the Red Flags Rule defines a "financial institution" as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other person that, directly or indirectly, holds a transaction account belonging to a consumer. Banks, federally chartered credit unions, and savings and loan associations come under the jurisdiction of the federal bank regulatory agencies and/or the National Credit Union Administration. The remaining financial institutions come under the jurisdiction of the FTC.

According to FTC guidance documents, the definition of "creditor" is broad and includes businesses or organizations that regularly defer payment for goods or services or provide goods or services and bill customers later. Utility companies, health care providers, and telecommunications companies are among the entities that may fall within this definition, depending on how and when they collect payment for their services. The Rule also defines a "creditor" as one who regularly grants loans, arranges for loans or the extension of credit, or makes credit decisions. Examples include finance companies, mortgage brokers, real estate agents, automobile dealers, and retailers that offer financing or help consumers get financing from others, say, by processing credit applications. In addition, the definition includes anyone who regularly participates in the decision to extend, renew, or continue credit, including setting the terms of credit – for example, a third-party debt collector who regularly renegotiates the terms of a debt. If you regularly extend credit to other businesses, you also are covered under this definition.

Covered Accounts Broadly Defined

The Rule requires periodic risk assessments to determine if financial institutions and creditors have "covered accounts." The definition of ‘‘covered account’’ is divided into two parts. The first part refers to ‘‘an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions.’’ The definition provides examples to illustrate that these types of consumer accounts include, ‘‘a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account.’’

The second part of the definition of "covered accounts" refers to ‘‘any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.’’

Solutions - Start HereStart Here Graphic

Developing a legally defensible and technically sound written Identity Theft Prevention Program requires a multidisciplinary team approach. Fundamentally, compliance with information security laws requiring IT expertise still boils down to an analysis of legal compliance in the end. An experienced lawyer who can communicate on a technical level with in-house and outside technical vendors is invaluable. The Red Flags Rule as well as other information security laws like Massachusetts' 201 CMR 17, require covered entities to demonstrate compliance with a "written" information security plan.  It makes sense from the start to design a comprehensive and legally defensible written plan.  Moreover, Written Identity Theft Prevention Programs under the Red Flags Rule need to be coordinated with other overlapping information security and records management requirements, including the comprehensive Written Information Security Programs (WISP) under  201 CMR 17.00, the PCI/DSS credit card industry rules and the organization's Document Retention/Destruction Policy. Another reason for early involvement of the legal component of the solution is that both the Red Flags Rule and 201 CMR 17.00 require employee training and therefore require updating Human Resources (HR) procedures and employee manuals.

Teamwork is keyGraphic showing info security team approach

Akin to a "barn raising" the coordinated work of various skilled and talented specialists is required.  In conjunction with client business managers and executives, the solution team needs to include input from legal, IT, security and possibly records & information management professionals.  Every business and institution has a unique mix of needs and in-house expertise.  Experience shows that specialized in-house expertise is expensive to maintain and therefore gaps may need to be filled with outside consultants.  We work with your existing team to identify gaps, and where necessary, help you locate and engage the most cost-effective outside talent.

Why Start With a Legal Professional?

Applying technical vendor solutions together with a boilerplate legal template will not necessarily add up to legal compliance.  Don't get caught letting the IT tail, wag the legal dog.

Because many issues related to potential investigations or litigation should be kept confidential, it is vitally important that the proliferation of such information be tightly controlled.  Unlike typical technology and records providers, our team approach initially creates the highest possible safeguards for confidential information through the use of the attorney-client communications privilege.  Unlike a confidentiality or non-disclosure agreement, which can be pierced by third parties with relative ease, the privilege accorded to clients seeking and receiving legal advice is bulletproof.  At the beginning of an engagement our clients are free to discuss all of the reasons for needing to implement, supplement or revamp their document retention / destruction policies.  Whether records were inappropriately destroyed or whether laws with criminal penalties were violated, communications regarding the problems and solutions can be freely and openly discussed.

If any of the reasons for requiring technical information security policy solutions could cause embarrassment or increase legal risk, you should consider engaging legal counsel first in order to create and maintain the critical communications privilege and work-product protections.  Under the law of agency an attorney may be able to create an umbrella of privilege and other confidential protections over agents (e.g., Security and IT specialists) where the subject matter of the engagement relates to issues with a legal component.  Because of the vast regulatory environment and the substantial number of civil and even criminal penalties for records management errors, nearly every information security question has a legal component.  We have the knowledge and experience to communicate on a technical level with Security and IT professionals.  If there are any questions about legal liability, get a competent lawyer out in front of your technical team.

Red Flags Rule Legislation

The Red Flags Rule was created by the Fair and Accurate Credit Transaction Act of 2003 (FACT Act) and amends the Fair Credit Reporting Act (FCRA) 15 U.S.C. § 1681m(e).

For more information about our Information Security Consulting Practice please contact Steve O’Neill at
or toll-free 888-766-3455.

 Information Security Policy Consulting Services Available

  • Confidential Advice on Compliance With Information Security Laws
  • Multidisciplinary Risk Assessment & Gap Analysis
  • Development of Legally Defensible Written Identity Theft Prevention Programs
  • Coordination of Identity Theft Prevention Program with Existing Security and Records Retention Policies
  • Advice on Reporting and Recordkeeping Requirements
  • HR Policy Review and Revisions
  • Employee Training Programs
  • Breach Response Plans
  • Coordination with in-house or outsourced IT/Security Vendors
  • Review and Drafting of Service Provider Contracts
  • Post-Breach Legal Advice and Representation
  • Development of Enterprise-wide Document Retention/Destruction Policies
  • Development of Legal Hold Procedures for Litigation and Investigation

    Professional Partners

    • Network Security Consultants

    • Electronic Storage Systems Consultants

    • Records & Information Management Consultants

    • Computer Forensics Consultants