Red Flags Rule Addresses Identity Theft

​​Q: What is the Red Flags Rule?
A: The Red Flags Rule (“Rule”) is part of the Fair and Accurate Credit Transactions Act of 2003. The Rule has three parts requiring covered businesses to take steps to detect, prevent, and mitigate identity (ID) theft. It concentrates on detecting patterns, practices, and activities that suggest a person is fraudulently using another individual’s personal information/identity. The Rule was amended in 2010 to clarify what types of businesses must comply.

Q: How does the Rule help detect ID theft?
A: One common form of ID theft involves using a false address for a person to open accounts or to gain access to that person's credit or debit cards. Two sections of the Rule address this by requiring companies to verify certain address changes or notices of address discrepancies. Debit or credit card issuers must have reasonable policies to verify a cardholder’s address change, particularly if the issuer receives a request for a replacement or additional card shortly after the address change request. Companies that routinely use consumer reports (such as credit reports) must have policies to resolve address discrepancies if the address they have for a person differs from the address the consumer report agency has on file.

The part of the Rule that has received the most attention requires covered businesses to develop written policies to identify and respond to ID theft “red flags.”
Q: What are the “red flags” of ID theft?
A: The Rule guidelines list 26 common red flags, divided into five categories:
1) alerts, notifications or warnings from a consumer reporting agency;
2) suspicious documents;
3) suspicious personal identifying information;
4) unusual use of, or suspicious activity related to, a covered account; and
5) notice from customers, victims of ID theft, law enforcement, or other persons regarding possible ID theft.

However, the enforcement agencies have stated that this list is not exhaustive and businesses should develop a policy to address any other potential red flags they may identify.

Q: What must the written policy include?
A: The written policy should be tailored to the specific business and industry's experience with ID theft and likely red flags. The policy must be approved by the business’s board of directors, and set out how the business will detect and respond to "red flags" of identity theft in its day-to-day operations. The policy must be updated periodically and someone within the company must be responsible for its implementation and management.

Q: What companies must comply with the Rule?
A: Any financial institution (such as banks, credit unions, and savings and loans) and any “creditor” that has “covered accounts” must comply with the Rule. A “creditor” is any entity that regularly, and in the course of its business, 1) obtains or uses consumer credit reports in connection with a credit transaction; 2) provides information to consumer reporting agencies in connection with a credit transaction; or 3) advances funds that must be repaid in the future (or against collateral). Examples include cellular telephone companies, utility companies, automobile dealers or other companies that advance funds or routinely interact​ with consumer credit agencies when performing a service and receiving payment once the work is complete. Excluded from the definition of "creditor" are businesses or entities that advance funds on behalf of a person for expenses incidental to a service the creditor provides to that person, such as doctors, attorneys or other professionals who perform services and then bill for such services.

“Covered accounts” are accounts used by individuals or for household purposes, or any other type of account that is likely to be an ID theft target.

Q: Who enforces the Rule?
A: The federal bank regulatory agencies, the National Credit Union Administration, the federal securities and commodities exchange regulatory agencies, and the Federal Trade Commission each have enforcement authority.

Q: How does the Rule impact consumers? 
A: In general, you may be asked to submit additional identification at businesses impacted by the Rule, particularly shortly after an address change or other change in personal identifying information, such as a name change, or if your photo ID does not closely match your personal appearance.

Q: What if creditors don’t comply with the Rule? Can consumers sue under non-compliant creditors under the Rule if their identity is stolen?
A: Businesses are subject to civil fines of up to $2500 per occurrence for willful violations.  States may also have enforcement rights, but a consumer cannot bring a private lawsuit under the Rule.

Q: Where can I get more information?
A: Visit the FTC’s website at​.


This “Law You Can Use” column was provided by the Ohio State Bar Association. It was prepared by attorney Tammy L. Imhoff, an associate with the Cincinnati office of Dinsmore & Shohl, LLP. ​

Articles appearing in this column are intended to provide broad, general information about the law. This article is not intended to be legal advice. Before applying this information to a specific legal problem, readers are urged to seek advice from a licensed attorney.



Staff Directory

Contact Information


8 A.M. - 5 P.M.
Monday - Friday