FACTA Section 114

Red Flag Rules
General Requirements - Red Flag Rules

On October 31, 2007 the Joint Committee of the OCC, Federal Reserve Board, FDIC, OTS, NCUA and the Federal Trade Commission passed the final legislation for Section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACTA), also known as the RED FLAG RULES. 

This Section requires that all organizations subject to the legislation must develop and implement a written "Identity Theft Prevention Program" to DETECT, PREVENT and MITIGATE identity theft in connection with the opening of certain new and certain existing accounts.  

Compliance Deadline: 

Effective January 1, 2008.  Final Deadline for Compliance was November 1, 2008 for all financial institutions except state chartered credit unions.  Enforcement for organizations subject to oversight by the Federal Trade Commission was extended four times and the final compliance deadline to avoid penalties was June 1st, 2010.   

Who Must Comply?   

Banks, thrifts, mortgage lenders, credit unions, US branches and agencies of foreign banks, US commercial lending companies of foreign banks, and certain "creditors" which is defined as "any person or business who arranges for the extension, renewal, or continuation of credit".   This specifically includes utility companies, car dealers, telecommunications companies, health care companies, and debt collectors.  Many other types of organizations could also fall into this definition. 

Which Accounts Must Be Covered? 

Accounts that must be covered include certain new accounts where a relationship exists and existing accounts, defined by the regulation as "Covered Accounts."

Which Accounts Need Not Be Covered?

 Single, non-continuing transactions where no ongoing relationship exists.

What are the Covered Accounts?  

  • A personal account that involves or is designed to permit multiple payments or transactions such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account, and
  • Any other account for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.  [It is mentioned in the comments to the regulation that business accounts are an example of a type of account that would fall into this second category of covered accounts.]

 What are the Requirements?


Each organization who is subject to the regulation must IDENTIFY relevant patterns, practices and specific forms of activity that are "red flags" signaling possible identity theft, and incorporate those red flags into their program.

Each organization is responsible for coming up with its own list of Red Flags, and the list should be as exhaustive as possible.  Unfortunately there is no qualification in the regulation for the "Top Ten Red Flags" or the "Red Flags Most Commonly Found” so you need to include every situation that you can.  You should utilize the following resources when creating your list;

1. Examples provided in Section 114, subpart J, Appendix A of FACTA.  (These are also listed on our website, www.redflagrules.net, for your convenience.)

2.  The financial institution's or the creditor's own experience, and

3.  Relevant identity theft methods and changes in identity theft risks.  [In other words, you must keep pace with the new and evolving methods that criminals are using to obtain and use the personal information of others.] 


Now that you have a complete list of the Red Flags that signal identity theft as it pertains to your organization, you must describe how you will detect each Red Flag in every circumstance where it may occur. There are several very broad requirements for this objective.  A closer look at these may reveal deficiencies or gaps in your current programs and processes that will need to be addressed:

1. Obtaining Identifying Information and Verifying Identity

This specifically pertains to the process of verifying the identity of a person who has approached you regarding the opening of a new account.  You may already have a solution in place based on the requirements of the USA Patriot Act, but this may be a good time to assess whether or not your current practice is strong enough.   Make sure that your process will detect the Red Flag BEFORE the account is opened, which is a variation on CIP Rules.  New advances using national database scanning provides additional security for Customer Information Programs (CIPs). 

2.  Authenticating Transactions for Existing Customers 

The term "authentication" typically means a stringent means of assuring that the person who is making a transaction is the true owner of the "personal information set" that we call an identity.  The traditional method of validating an identity has been to obtain a drivers license or government ID and compare the picture on the ID to the person in front of you.  With the onset of identity theft, this method can no longer be completely trusted.  An authentication process must be put in place that includes additional validation of the person’s identity before a transaction is allowed.  Some of the newest forms of authentication include biometrics, tokens, security ID cards, fingerprint readers and
GPS technology using cell phones as a point of reference.  For online transactions these are used in conjunction with user ID and passwords to create stronger two-factor authentication processes.  Another method is to ask the consumer several "out of wallet" questions, which are questions that have answers only the customer would know and can not be answered by information typically found in a purse or wallet (which may have been compromised).    The Red Flag regulation does not specify the degree to which you must deploy technology to detect Red Flags.  It only stresses the need to be “effective” and to prove the effectiveness of your program to your board of directors on at least an annual basis.  

3.  Monitoring Transactions (Activity) Of Customers

Monitoring activity of your current customers can be an even bigger challenge.    An example used in the regulation is a change of address request that closely follows a request for a new credit or debit card.  Another is a material change in a customer’s use of credit, especially with respect to recently established relationships.  This means that not only do you need to track specific types of activities but you must track those activities in relation to the timing of certain other events or transactions and in some cases compare it to a “norm” that may be different for each customer.  There are rules-based database scanning technologies that can look for patterns of behavior and anomalies in your existing customer transaction data and provide an alert.   But whether you employ a technology solution or not, it is the responsibility of the financial institution to make sure that all of the rules are established, maintained and are followed accurately.

 4.  Verifying the Validity of Change of Address

 There is a great deal of emphasis that is placed on the monitoring of change of address for covered accounts – for good reason!  It is a proven fact that in most cases an identity thief will attempt to manipulate an account before he begins his spending spree so that fraudulent activity will not be discovered quickly.  One way to do this is to change the address on an existing account to divert the statements and notifications so the real owner of the identity remains unaware.  The longer a thief can go undetected the more damage they can do.  And don’t overlook change of e-mail address as well.  With many customers now using e-statements this is another way for the thief to hide his tracks.  A change of address request should be treated in the same cautious manner as a request for a withdrawal, using the level of authentication required for other types of transactions.    

Change of address requests for debit and credit cards is called out in a separate section of the rulemaking, with specific requirements for assuring the integrity of this type of transaction under certain circumstances.

The regulation requires that issuers of debit or credit cards must establish an implement reasonable policies and procedures to validate a change of address request IF a request for a replacement card follows the change of address within 30 days.   

The card issuer may NOT ISSUE the card until it has satisfied at least one of the following provisions:

 (1)  Notifying the cardholder by postal mail at the former address, or other means previously agreed with the cardholder, and providing a means for the cardholder to PROMPTLY respond if the address change is incorrect.   
(2)  Using another means of assessing the validity of the request for address change -- which is probably referring to address validation software systems. 


The regulation states that a Red Flag Program should provide for appropriate responses to the Red Flags detected that are commensurate with the degree of risk posed.  In reading the original draft of the legislation this section references an assessment of risk to both the customer and to the financial institution or creditor.  This is a human assessment that must take place each time a Red Flag is detected in order to gauge a response.  You must not only consider the type of Red Flag, but its timing with other “aggravating factors” that may increase the risk of identity theft.  The regulation provides two examples of aggravating factors; (1) the institution has experienced a breach of security that resulted in the unauthorized access of loss of personal data of customers, or (2) you become aware that a customer has provided information related to a covered account to someone who is fraudulently claiming to represent the financial institution or creditor, or to a cloned website.   There are surely other aggravating factors, such as the customer reporting to you that they have seen other evidence of fraud or abuse of their identifying information.

The regulation states that appropriate responses may include the following:

(a)  Monitoring a covered account for evidence of identity theft

(b)  Contacting the customer,
(c) Changing any passwords, security codes, or other security devices that permit, access to a covered account,
(d)  Reopening a covered account with a new number,
(e)  Not opening a new covered account,
(f)  Closing an existing covered account,
(g)  Not attempting to collect on a covered account or not selling a covered account to a debt collector;
(h)  Notifying law enforcement; or
(i)  Determining that no response is warranted under the particular circumstances. 

It is worthwhile to note that the last criteria was added to the final rulemaking to acknowledge that there may be times when a Red Flag produces a false positive alert, meaning that the circumstances indicate a Red Flag is present but it can be determined that no risk of identity theft exists.  It was emphasized that it is “implicit” in order to “respond appropriately” to a Red Flag that not only does the financial institution or creditor need to assess the degree of risk; it must also have a “reasonable basis” for concluding that the Red Flag does not evidence a risk of identity theft. 

In practical application, when you find a Red Flag and you can not establish a reasonable basis for no response, you must notify the customer.  All other responses depend on this.  When you notify the customer that he or she may be a victim of identity theft you will most likely get the following question, “what do I do now?”  The answer is critical, not only to your customer, but ultimately your brand image and quite possibly your market share. 

There are already many financial institutions who are offering no cost professional identity theft recovery services to deliver the difficult and specialized work that is necessary to unravel the problem of identity theft for their customers. You can spot a reputable service if they offer to do the legwork for the customer by utilizing a limited power of attorney authorization in order to dispute the fraudulent activity and obtain documented clearance of all issues.  The identity theft services industry is yet unregulated and there are many companies that provide only generic advice but call it “recovery assistance” when in fact it is nothing more than a do-it-yourself-kit.  Still others thrive on big dollar media hype and half-truths about preventing identity theft using fraud alerts with million dollar guarantees.  Do your homework!  Your reputation depends on it.

If you feel you already have remediation for identity theft events covered by your Fraud Unit, consider this.  By outsourcing some or all of the mitigation for identity theft issues found by Red Flags you will not only be providing a higher quality of service to your customers and reallocating valuable employee time, but you will also have a system for tracking the identity theft activity and how it is resolved.  This is a requirement of the Red Flag regulation that is coming up in the next section. 


The final rules include a fourth element to make sure that the Program keeps pace as criminals get more creative.  The regulation requires that a financial institution or creditor have in place “policies and procedures to ensure the Program (including the Red Flags determined to be relevant) is updated periodically to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft.”

In this requirement are several key words that elaborate on its intent.  First, the terms “policies” and “procedures” means that you need to have a documented method for monitoring, assessing, and adopting additional measures to detect, prevent and mitigate new ways of committing identity theft as they are discovered. 

Second, the term “ensure” emphasizes the importance of making sure that this requirement is not treated lightly.  Key criteria that should be included in your program include (1) Where you access your identity theft trend data, (2) Who will be designated to track and record this information, (3) What process will you take to assess and adopt new measures into your program.

Third, the term “periodically” may be interpreted as more than once a year.  Otherwise, the Committee would have used the word annually. 

How Must the Plan Be Administered?

Each financial institution or creditor must provide for the proper administration of their Program and must meet the following requirements:

1.  Adoption of the Initial Plan by the Board.  Each financial institution or creditor must obtain initial approval of the Identity Theft Prevention Plan by its board of directors or committee of the board, or if there is no board, then by a designated Senior Manager.

2.  Assign Specific Responsibility for the Program.  The regulation specifically states that you should involve the board of directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development, implementation and administration of the program. 

3.  Reporting to the Board or Senior Manager.  At least annually, the person or committee responsible for the Program must provide a report to the board of directors or senior manager that does the following:

(a)  Shows the effectiveness of the Program for covered accounts

Explains “significant events” involving identity theft and management’s response to the incidents

Provides recommendations for material changes to the Program due to evolving risks and methods of identity theft

Am I Responsible for My Service Providers?

In a word, “yes”.  Whenever a service provider is performing an activity in connection with a covered account it is your responsibility to make sure that the provider (a) has an Identity Theft Prevention Plan, and (b) is following the Identity Theft Prevention Plan.  The same requirement to detect, prevent and mitigate identity theft as it pertains to covered accounts is extended to any service provider who is engaged to perform an activity in connection with the covered accounts.  In order to compliant with this provision there are two options:

The financial institution or creditor could require the service provider to have a Red Flag Program of its own and report to the financial institution or creditor on the effectiveness of the program, etc.

The financial institution or creditor could require the service provider to respond to its Red Flags appropriate to prevent and mitigate the risk of identity theft.

 What about Training of Staff?

The proposed rules required each financial institution or creditor to train staff to implement its program.  Consumer groups wanted the final rules to be more detailed, calling for specific oversight and audit of the covered entity’s training efforts.  On the other side, financial institutions felt that they had already met the burden of training through their fraud prevention efforts. 

The final rules provide that a covered entity must train staff, as necessary, to effectively implement the program.  While there is no corresponding section, the Agencies stressed the importance of this requirement by stating that they continue to believe that proper training will enable the staff to address the risk of identity theft.


Information published on this site is of general applicability and is not intended to be relied on as a complete and accurate interpretation of the law for any person or entity.  By virtue of this publication, we are not providing legal, accounting or other professional advice for specific companies or financial institutions.  Please consult your legal or compliance adviser before taking any action on information contained herein.
-- NXG Strategies, LLC

About NXG Strategies:

NXG Strategies is an industry pioneer and the nation's top-tier consulting firm helping financial institutions, lending organizations, insurers and other corporations provide sponsored identity theft PREVENTION and identity theft MITIGATION services to more than 1.5 million program members.  Now, in cooperation with the latest in DETECTION technologies NXG Strategies can provide a complete solution in answer to the Red Flag Legislation.


NXG Strategies, LLC