Identity Theft Prevention - FTC Red Flag Rules

Identify Theft Prevention

Federal Trade Commission’s ‘Red Flag Rules’


The Fair and Accurate Credit Transactions Act of 2003 was enacted by Congress to address the growing problem of identity theft. Sections 114 and 315 of this law resulted in a set of regulations issued jointly by the Federal Trade Commission (FTC) and the federal financial institution regulatory agencies called ‘Red Flag Rules’. (For the text of the rules, see the Federal Register for Nov. 9, 2007.) While this law is directed primarily at financial institutions, it affects nonprofit and government entities that defer payment for goods or services. If the assistive technology (AT) reuse program allows the customer to make future payments for devices or services, it is deemed a “creditor” and is covered by the Act under the jurisdiction of the FTC.


The rules require that a creditor (the AT reuse program) that holds a consumer account (the customer’s account for future payments for a device or for repair services) must develop an Identity Theft Protection Program to combat the possibility of identity theft with existing or new accounts. The rules became effective on Nov. 1, 2008.


The AT reuse program must implement an Identity Theft Protection Program that consists of reasonable policies and procedures for detecting, preventing and mitigating identity theft. The implementation of the Act allows flexibility in designing a compliance plan. The size and complexity of the plan depends on the size of the organization, the nature of the customer accounts and customer transactions. The “reasonable policies and procedures” must specify how the organization will:

Identify relevant patterns, practices and specific forms of activity that are “red flags” signaling possible identity theft, then incorporate those red flags into the Identify Theft Protection Program. Detect red flags that have been incorporated into the Program. Respond appropriately to any red flags that are detected to prevent and mitigate identity theft. Ensure the Program is updated periodically to reflect changes in risks from identity theft.

Guidelines issued by the FTC can be found at The guidelines and a supplement that lists possible red flags should be helpful resources in developing policies and procedures.


See Attachments to this article for an example of a policy developed by Paraquad, Inc. in St. Louis.




New ‘Red Flag’ Requirements for Financial Institutions and Creditors Will Help Fight Identity Theft. Retrieved Sept. 3, 2009, from


Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003, Final Rules and Guidelines, Federal Register, Nov. 9, 2007. Retrieved Sept. 3, 2009, from




Please note that by selecting an Internet link you will be directed to an external site, and the Pass It on Center does not control the content of the site.



This work is supported under a five-year cooperative agreement # H235V060016 awarded by the U.S. Department of Education, Office of Special Education and Rehabilitative Services, and is administered by the Pass It On Center of the Georgia Department of Labor – Tools for Life.  However, the contents of this publication do not necessarily represent the policy or opinions of the Department of Education, or the Georgia Department of Labor, and you should not assume endorsements of this document by the Federal government or the Georgia Department of Labor.


File Name File Size
There are no attachments for this article

Other Information

Title: Identity Theft Prevention - FTC Red Flag Rules
Module: Finance/Accounting
Author: Trish Redmon
Audience: Administrator
Sub Title: Fair and Accurate Credit Transactions Act of 2003
Procedure: Compliance with identity theft safeguards
Organization Source: PIOC and Paraquad
Last Reviewed: 10-25-2009 4:34 PM