Who Must Comply with the Red Flags Rule?
Under the Red Flags Rule, both financial institutions and certain creditors must conduct periodic risk assessments to identify "covered accounts." This classification is not determined by the industry but by the specific activities of a business. Financial institutions include banks, savings associations, and credit unions, while the definition of a creditor is based on their practices, such as deferring payments or granting credit.
To ascertain if a business qualifies as a creditor, it must evaluate its operations regarding consumer reports and credit transactions. If identified as a creditor, the business must then determine if it maintains any covered accounts, which fall into two categories: consumer accounts for personal use that permit multiple transactions and any accounts posing a foreseeable risk of identity theft. The assessment of risk should consider how accounts are opened and accessed, particularly for those that can be accessed remotely. Businesses without covered accounts are not required to implement a written program, but they are encouraged to conduct regular risk assessments, as their services and structures may change over time.
These materials were obtained directly from the Federal Government public websites and are posted here for your review and reference only. No Claim to Original U.S. Government Works. These may not be the most recent versions. The U.S. Government may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.