Download a summary of the regulations' requirements.

Contact Us to Obtain Required Policy, Process and Training Requirements

Red Flag Regulations for Mortgage Brokers and Lenders

Red Flag Regulations - Financial Institutions and Creditors Only

In addition to the general regulations that apply to all users of consumer reports, (See the module to the left to download a summary of all the requirements) there are additional Red Flag regulations that apply specifically to financial institutions and creditors. These regulations are even more burdensome. Per the regulations, these entities must meet four basic requirements:

  1. Financial institution and creditors must periodically identify whether they maintain accounts covered by the regulations. Covered accounts are basically those involving or designed to allow, multiple payments or transactions. Examples include personal credit card accounts, residential mortgage loans, utility accounts, and other accounts for which there is a reasonably foreseeable risk of identity theft;
  2. Financial institution and creditors must establish an identity theft prevention program, as described below;
  3. The program must be administrated by the financial institution or creditor; and
  4. Each financial institution and creditor must consider the Red Flag guidelines set forth in Appendix A to the regulations and include in its identity theft prevention program those that are appropriate.

Identity Theft Prevention Program

As explained above, one part of the regulations requires the establishment of an identity theft prevention program that is designed to "detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account." Such program must include reasonable policies to:

  1. Identify relevant Red Flags for the covered accounts that the financial institution or creditor offers, and incorporate those Red Flags into its Program;
  2. Detect Red Flags that have been incorporated into the Program;
  3. Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and
  4. Ensure that the Program is updated periodically to reflect changes in risks from identity theft.

Administration of the Program

The regulation requires that the administration of the program involve:

  • Obtain approval of the initial written Program from either its board of directors or an appropriate committee of the board of directors;
  • Involve the board of directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development, implementation and administration of the Program;
  • Train staff, as necessary, to effectively implement the Program; and
  • Exercise appropriate and effective oversight of service provider arrangements.