Red Flag Rules
On October 31, 2007 the Joint Committee of the OCC, Federal Reserve Board, FDIC, OTS, NCUA and the Federal Trade Commission passed the final legislation for Section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACTA), also known as the RED FLAG RULES.
This Section requires that all organizations subject to the legislation must develop and implement a written "Identity Theft Prevention Program" to DETECT, PREVENT and MITIGATE identity theft in connection with the opening of certain new and certain existing accounts.
Compliance Deadline:
Effective January 1, 2008. Final Deadline for Compliance was November 1, 2008 for all financial institutions except state chartered credit unions. Enforcement for organizations subject to oversight by the Federal Trade Commission has been extended four times and is now pushed forward to June 1st, 2010.
Who Must Comply?
Banks, thrifts, mortgage lenders, credit unions, US branches and agencies of foreign banks, US commercial lending companies of foreign banks, and certain "creditors" which is defined as "any person or business who arranges for the extension, renewal, or continuation of credit". This specifically includes utility companies, car dealers, telecommunications companies, health care companies, and debt collectors. Many other types of organizations could also fall into this definition.
Which Accounts Must Be Covered?
Accounts that must be covered include certain new accounts where a relationship exists and existing accounts, defined by the regulation as "Covered Accounts".
Which Accounts Need Not Be Covered?
Single, non-continuing transactions where no ongoing relationship exists.
What are the Covered Accounts?
A personal account that involves or is designed to permit multiple payments or transactions such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account, and
Any other account for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks. It is mentioned in the comments to the regulation that business accounts are an example of a type of account that would fall into this second category of covered accounts.