The Red Flags rule has two main purposes:
- To require financial institutions and creditors to implement a written program to detect, prevent, and mitigate identity theft in connection with the opening of an account or any existing account.
- To identify and describe patterns, practices, and specific forms of activity that indicate a possible risk of identity theft. These “patterns, practices, and specific forms of activity” are “red flags” intended to alert financial institutions and merchants concerning the possibility of imminent identity theft. Written programs designed to prevent identity theft must include these “red flags”-or other relevant warning signals-and appropriate procedures must be developed to respond to the warnings.
According to the rule, a written program will include “reasonable” policies and procedures that perform the following tasks:
1. Identify relevant Red Flags for covered accounts and incorporate those Red Flags into the program;
2. Detect Red Flags that have been incorporated into the program;
3. Respond appropriately to any Red Flags that are detected to prevent and mitigate and identity theft; and
4. Ensure that the program is updated periodically, to reflect changes in risks to customers or to the safety and soundness of the financial institution or creditor from identity theft.
There are several issues here that bear close attention.