Management, compliance & auditing

How to comply with the Red Flags Rule

Greg Belding
August 2, 2018 by
Greg Belding

The Red Flags Rule, or RFR, is one of the identity protection rules found in the Federal Credit Reporting Act (FCRA). More specifically, RFR deals with protecting individuals from identity theft when it comes to the day-to-day operations of organizations and businesses. This article will detail how organizations and businesses can comply with RFR.

RFR Overview

Effective as of December 31, 2010, RFR mandates that financial institutions and creditors implement an identity theft program that will detect, prevent and mitigate identity theft when covered accounts are opened or maintained.

To fully understand RFR, it is important to understand how it defines certain terms. Below important definitions of these important terms:

Red Flag

Red flags are patterns, practices or specific activities that indicate the possibility of identity theft. This is a broad definition that is intended to apply to as many practices, patterns and specific activities as possible. Those who want more specific guidance should consult the 26 illustrative examples of red flags listed in the RFR.

Financial Institutions

Financial institutions are:

  • National or state banks
  • Federal or state savings and loan
  • Mutual savings associations/banks
  • Federal or state credit unions
  • Anyone who holds a consumer transaction account, either directly or indirectly


Creditors are anyone who regularly extends, renews or continues credit, or arranges to perform any of these actions. This includes assignees that participate in credit decision-making.

Covered Accounts

There are two types of covered accounts, and RFR applies to both new and existing accounts:

  • Consumer accounts include:
    • Consumer credit card accounts
    • Checking/savings accounts
    • Mortgage accounts
    • Auto loans
  • Any other account that involves a reasonably foreseeable risk to the consumer of identity theft. This definition includes:
    • Small business credit accounts
    • Sole proprietorship credit accounts
    • Single-transaction accounts

The focus when looking at covered accounts is how covered accounts are opened and accessed. Opening and accessing accounts are the points where identity theft is most likely to occur.

Your Organization's Program

To meet compliance with RFR, your organization must have a program in writing. This program is required to contain policies and procedures that lay out how your organization will identify red flags, how it will detect red flags, prevention and mitigation of identity theft and how it will update the program. The steps listed below will guide you in the creation of your organization's RFR program.

Identify Red Flags

Since the definition for red flag is so broad, keep the following in mind.

Look for Risk Factors. There are different kinds of accounts which come with their own different kinds of risk. Analyze the different kinds of accounts your organization offers and determine how you open your organization's different accounts, how access is provided to the accounts, and any other information you know about identity theft with respect to your organization.

Red Flag Sources. Lock down a firm understanding of the sources of red flags experienced in your organization. Also, keep in mind that technological and criminal methods often intersect, so you should keep abreast of changes to your organization's technologies.

Common Types of Red Flags

RFR's Supplement A identifies various types of common red flags. Below are some commonly-occurring red flags:

Notifications/Alerts/Warnings from Credit Reporting Agencies. Including alerts to fraudulent activity, credit freeze notices and credit reports that are inconsistent with an individual's pattern of credit use.

Suspicious Documents. Including documents that look forged/altered, identification that doesn't match up with an individual's physical description and altered/forged applications.

Account Activity. Aside from abnormal account activity, this common red flag includes situations where credit mail is repeatedly undeliverable and when the individual does not receive account statements by email or mail.

Red Flag Detection

Organizations will also need a system set up to detect red flags as they occur. While this detection system is open-ended in terms of implementation and architecture, operationally speaking this system should use identity authorization and verification.

When looking at new accounts ensure that your detection system verifies the identity of the individual opening the account, including verifying the individual's name, home address and performing an in-person check of their state driver's license or ID. You may also want them to bring in a piece of mail, such as a utility bill, that contains their home address.

For existing accounts, organizations will want to use some of the readily-available technology on the market to help them verify and authenticate an individual's identity. This can include multi-factor identification, passwords, PINs and/or biometric identification methods. The only thing limiting this detection system is your own creativity.

Prevention and Mitigation of Identity Theft

Compliance with RFR includes proactively preventing and mitigating identity theft. Some acceptable responses to situations where you suspect identity theft are:

  • Proactively monitoring covered accounts
  • Refusing to open a new account when you suspect identity theft has occurred
  • Closing suspect accounts
  • Notifying local law enforcement

Updating Your Organization's Program

Your program must be updated over time to maintain compliance. Changes in technology and credit accounts can mean new red flags. With this said, your program must reflect these changes by adjusting the plan as needed to respond to changes to the RFR landscape.

Administration of the RFR Program

RFR mandates certain administrative requirements for RFR compliance. These requirements include:

Board Approval. The Board of Directors, or a committee selected by the Board, is required to approve of an RFR program. If your organization does not have a Board of Directors, then a senior manager has to approve it. The Board/senior manager may develop, oversee, administer, and implement the program.

Training as Necessary. RFR requires that staff are trained "as necessary." Additionally, previously-trained staff do not need to re-trained.

Monitoring your organization's service providers that conduct activities covered by RFR is essential. Your service providers must adhere to the same standards that your organization applies.


Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.