What Is a Covered Account Under the Red Flag Rule?

The Red Flag Rule is a federal regulation designed to combat identity theft. Established as part of the Fair and Accurate Credit Transactions Act (FACT Act) of 2003, which amended the Fair Credit Reporting Act (FCRA), this rule mandates that certain organizations implement programs to identify, detect, and respond to warning signs of identity theft. Its primary goal is to protect consumers from fraudulent activities involving their personal information and to safeguard the financial system.

Who Must Comply

Compliance with the Red Flag Rule extends to specific entities categorized as “financial institutions” and “creditors” that maintain “covered accounts.” A financial institution generally includes state or national banks, savings and loan associations, mutual savings banks, federal or state credit unions, and any other entity holding a consumer’s transaction account. These are organizations where consumers can make payments or transfers.

The definition of a “creditor” under the rule is notably broad, encompassing more than just traditional lenders. It applies to any entity that regularly extends, renews, or continues credit, or arranges for such activities. This can include businesses that defer payment for goods or services, such as utility companies, telecommunications providers, healthcare providers, and even automobile dealers. The rule’s applicability is determined by a business’s activities, not its industry, requiring a periodic assessment to determine if it offers or maintains covered accounts.

Understanding Covered Accounts

A “covered account” is central to the Red Flag Rule’s applicability, referring to specific types of accounts that pose a risk of identity theft. The rule identifies two primary categories. The first includes accounts offered primarily for personal, family, or household purposes that involve multiple payments or transactions. Examples commonly include:
Credit card accounts
Mortgage loans
Automobile loans
Checking accounts
Savings accounts

The second category encompasses any other account for which there is a reasonably foreseeable risk of identity theft to customers or to the safety and soundness of the financial institution or creditor. This can include accounts like small business accounts or sole proprietorship accounts that may be vulnerable to fraud. Entities must assess factors such as how accounts are opened and accessed, along with their past experiences with identity theft, to determine if accounts fall into this risk-based category.

Identifying Red Flags

“Red flags” are defined as patterns, practices, or specific activities that indicate the possible existence of identity theft. These warning signs can emerge from various sources, guiding organizations to detect potential fraudulent activity. One significant category involves alerts, notifications, or warnings received from a consumer reporting agency. This includes fraud alerts or credit freezes placed on a credit report, or a notice of address discrepancy provided by the agency.

Another set of red flags relates to suspicious documents. This can involve identification documents that appear altered or forged, or a photograph on an ID card that does not match the individual presenting it. Inconsistent information, such as a name or address on an ID that differs from information provided by the person opening an account, also serves as a red flag. Similarly, suspicious personal identifying information is a warning sign. Examples include an address discrepancy, an invalid phone number, or a Social Security number already associated with another customer.

Unusual use of, or suspicious activity relating to, a covered account also constitutes a red flag. This might manifest as a sudden increase in account activity, an unusual number of new credit relationships, or an account that has been inactive for an extended period suddenly becoming very active. Finally, notices from various sources, such as customers, identity theft victims, or law enforcement authorities, regarding possible identity theft are considered red flags.

Developing a Program

Organizations subject to the Red Flag Rule must develop and implement a written Identity Theft Prevention Program (ITPP). This program serves as a comprehensive framework to address the threat of identity theft within their operations. The ITPP must incorporate policies and procedures for four core elements to ensure compliance and effective fraud prevention.

The first element involves identifying relevant red flags specific to the covered accounts an entity offers or maintains. This requires assessing risk factors, such as the methods used to open and access accounts, and considering past experiences with identity theft.

The second element focuses on detecting these identified red flags. This involves establishing procedures for verifying identity during new account openings and monitoring existing accounts for suspicious transactions or activity, such as changes of address.

The third element outlines the appropriate responses to take once a red flag is detected. Responses should be commensurate with the degree of risk and can include:
Monitoring the account
Contacting the customer
Changing passwords
Closing the account
Notifying law enforcement

The final element requires ongoing administration of the program. This includes obtaining approval from the board of directors or a senior manager, providing staff training, and periodically updating the program to reflect changes in identity theft risks and business operations.