The Red Flags Rule is an amendment to the Fair and Accurate Credit Transactions Act of 2003 (FACTA) created by the Federal Trade Commission in 2008. It was originally designed to cover any financial institution or company that took payments (and therefore maintained personal information about the client,) however many organizations have successfully lobbied to be exempted. The rule was apparently quite controversial, since the enforcement date was pushed back five times by the Federal Trade Commission.
The main point of the rule is to assure that companies who use your credit report to make decisions about giving you money will let you know if something looks wrong. Prior to the Red Flags, they could simply tell you “No.” and send you a piece of mail two weeks later that told you have to give your credit report, and had to dispute their findings. Unfortunately, since they never told you what their findings were, it was impossible to dispute.
Although they fought against it heavily, banks and credit companies are the primary targets of the Red Flags Rule. Among the list of things they must now watch out for our things most consumers would assume we’re already part of the business model - checking to make sure a photo ID looks like the person presenting it, making sure the signature on the license matches the signature on the application, or a new applicant providing a Social Security number that is already in the system, or has been provided by multiple other people.
There is still a lot of debate about who exactly is covered by the Red Flags Rule, since it does not specifically state what types of companies are covered. Instead, the Red Flags Rule identifies the type of information that is used by the companies who are covered by the rule. This provides the FTC with a lot of leeway in how to enforce the law. Some types of businesses are obvious, such as banks, credit unions, and credit card companies. However by the terms of the rule, utility companies would be covered, as well as cell phone providers, pawn shops, and companies that provide day-to-day services and bill you later. That last category could cover everything from childcare to newspaper delivery, so it’s easy to see that the government is painting with a very wide brush.
Although the Red Flags Rule seems to be far reaching, it doesn’t have the teeth to make companies comply. For one thing, as stated earlier, the Red Flags Rule is a modification of FACTA. This means consumers do not have a direct recourse since there is no provision for a civil suit. (In other words, if a company is in violation of these laws, the government can take them to court, but you can’t.) Violation of the Red Flags Rule will probably carry the same penalties as FACTA, since it is part of that law. And although FACTA provides for pretty stiff penalties, to date, courts have hesitated to impose any real fines for violations.
It is also important to know that special exceptions have been made to the Red Flags Rule, that should probably have been included. Specifically, medical providers are most likely not covered by the rule, thanks to the Red Flags Clarification Act of 20 10 (RFCA), special legislation passed by the Obama administration in December 2010.
The upshot here is that it looks really good on paper. Companies and government now have something they can point to as proof that they’re doing something about identity theft. But in the final analysis, it is just a piece of paper that may or may not help the victim of identity theft.