By Thomas Ahearn, ESR Staff Writer

With identity theft on the rise – a recent survey found the number of identity theft and fraud victims in the U.S. increased 12 percent to affect over 11 million adults in 2009 – the Federal Trade Commission (FTC) is requiring businesses that extend credit to customers to develop plans to detect and prevent identity theft beginning June 1, 2010.

The FTC delayed enforcement of this “Red Flags” Rule until June 1, 2010 at the request of Congress after the Rule was published under the Fair and Accurate Credit Transactions Act (FACTA) in which Congress directed the FTC to develop regulations for “financial institutions” and “creditors” that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities – or “red flags” – that may indicate identity theft.

According to a “Facts For Businesses” page on the FTC website, the Red Flags Rule for implementing a written identity theft prevention program applies to “financial institutions” and “creditors” with “covered accounts,” and the FTC warns that these terms may apply to groups that might not typically use those words to describe themselves.

  • The Red Flags Rule defines a “financial institution” as banks, savings and loan associations, mutual savings banks, credit unions, or any person, directly or indirectly, holding a transaction account belonging to a consumer.
  • The Red Flags Rule definition of “creditor” is broad and includes businesses or organizations that regularly defer payment for goods or services or provide goods or services and bill customers later. Utility companies, health care providers, and telecommunications companies may fall within this definition. Creditors also include those who regularly grant loans, arrange for loans, or extend credit.
  • The Red Flags Rule defines that term “covered accounts” as 1.) A consumer account primarily designed to permit multiple payments or transactions such as credit card accounts, mortgage/auto loans, and cell phone, utility, and checking and savings accounts; and 2.) Any account for which there is a foreseeable risk to customers or to the financial institution or creditor from identity theft.

Beginning June 1, the Red Flags Rule requires “financial institutions” and “creditors” with “covered accounts” described above to develop, implement, and administer Identity Theft Prevention Programs that include four basic elements to address the threat of identity theft: Indentify, Detect, Prevent, and Update.

  • An Identity Theft Prevention Program must include reasonable policies and procedures to identify the “red flags” of identity theft, the suspicious patterns and practices, or specific activities, that may indicate the possibility of identity theft.
  • An Identity Theft Prevention Program must be designed to detect the red flags identified, and have procedures in place to help in the detection of red flags.
  • An Identity Theft Prevention Program must spell out the appropriate response to take when red flags are detected to prevent and mitigate identity theft.
  • An Identity Theft Prevention Program should go through a periodic update to reflect new risks from identity theft since this crime is an ever-changing threat.

In addition, the Red Flags Rule written Identity Theft Prevention Program designed to prevent, detect, and mitigate identity theft in connection with the opening of new accounts and the operation of existing ones must be appropriate to the size and complexity of the business or organization and the scope of its activities. A company with a higher risk of identity theft or a variety of covered accounts may need a more comprehensive Identity Theft Prevention Program.

For information about identity theft and the Red Flags Rule, visit or Employment Screening Resources (ESR) at