Bank Regulators Issue FAQS On Identity Theft Red Flag Rules

June 22, 2009 at 11:50 pm Leave a comment

On June 11, 2009, federal bank regulators, the National Credit Union Administration (NCUA) and the Federal Trade Commission (FTC) issued frequently asked questions (FAQs) to provide financial institutions and creditors with further guidance on the scope and implementation of the Identity Theft Red Flag Rules (Red Flag Rules).

The Red Flags Rules went into effect for financial institutions on November 1, 2008 and will go into effect for non-financial institution creditors on August 1, 2009 (this deadline has been extended twice because many of the entities did not realize they fell under the Red Flag Rules). 

Below is a quick summary of the FAQs.  A complete copy of the FAQs is available here.


  • The Red Flag Rules apply to:
    • all banks, savings associations and credit unions, regardless of whether they hold a “consumer account”
    • all banks, regardless of whether their powers are limited to trust activities
    • brokers, dealers, investment advisors, or investment or insurance companies that are “financial institutions” or “creditors” under the Red Flags Rule, including subsidiaries of banks
    • corporate credit unions
    • credit union service organizations (CUSOs)
  • The Red Flag Rules do not apply to foreign branches of U.S. banks.



  • The definition of “covered account” has two parts:

(1)        “an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions” and

(2)        “any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.

An account that falls under either part is a “covered account.”

  • These types of accounts may be “covered accounts”:
    • Business accounts
    • Business loans guaranteed by a consumer
    • Pre-paid card accounts (especially those that create a continuing relationship)
    • Certificate of deposit accounts
    • Investment retirement accounts (IRAs)
    • Trust accounts
    • Accounts established in the U.S. by non-U.S. residents
    • Indirect consumer loans (including loans purchased by another financial institution or creditor)
    • Leases

Identity Theft Program:

  • Financial institutions and creditors may use automated solutions to detect red flags.  They are not required to and an automated solution may need to be supplemented by non-automated policies and procedures.
  • The Red Flag Rules do not require a specific response for any particular situation, but give examples of responses that may be appropriate.
  • The obligation to oversee service provider arrangements includes fraud detection services and services in connection with opening or accessing covered accounts, such as providing an online banking platform, call center services, or debt collection.
  • The Red Flag Rules do not require the oversight of service providers through a written contract, although it might be helpful.



  • The Red Flag Rules do not contain a specific record retention requirement.
  • The Red Flag Rules do not require a financial institution or creditor to educate consumers.
  • The list of examples of Red Flags in the supplement to the Guidelines is not a comprehensive list of Red Flags, nor must a financial institution or creditor incorporate all of those examples into its Program.

Entry filed under: Uncategorized.

Missouri Bankers Association — Highlights from the Annual Convention Tagging Out of the TAG Component of the FDIC’s Temporary Liquidity Guarantee Program

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

Enter your email address to follow this blog and receive notifications of new posts by email.

Produced & Maintained By

Stinson Leonard Street Logo


A legal resource for Banking & Financial Services


%d bloggers like this: