FACT Act amendments to the Fair Credit Reporting Act directed the OCC, OTS, NCUA Federal Reserve, FDIC and Federal Trade Commission (collectively, the "Agencies") to issue regulations and guidance requiring financial institutions and creditors to develop and implement a written Identity Theft Prevention Program ("ID Theft Program") to detect, prevent and mitigate identity theft in opening or maintaining certain covered accounts. On November 9, 2007, the Agencies issued the joint final rule commonly referred to as the Red Flags Rule. The Red Flags Rule became effective on January 1, 2008, with delayed mandatory compliance until November 1, 2008.

Scope of the Red Flags Rule. The Red Flags Rule applies to any financial institution or creditor that offers or maintains any new or existing covered account. Financial institutions are banks, savings and loans associations, other depositories and foreign banking organizations or their subsidiaries regulated by a federal banking agency. Creditors are lenders, finance companies, auto dealers, mortgage brokers and other non-bank extenders of credit subject to regulation by the FTC. Covered accounts include accounts offered or maintained by a financial institution or creditor: (i) that involve or are designed to permit multiple payments or transactions; and (ii) for which there is a reasonably foreseeable risk of identity theft. For these purposes, an account is established when a person enters into a continuing relationship with a financial institution or creditor to obtain a product or service primarily for personal family, household or business purposes.

The expansive definition of covered account in the Red Flags Rule captures certain accounts that are normally exempted from other requirements of the FACT Act, such as trust or custodial accounts. While the Agencies acknowledge that identity theft is generally directed at consumer accounts, they believe over time identity theft could expand to affect a broader number of both business and consumer accounts. Accordingly, they have used discretion granted to them under Section 114 of the FACT Act to define covered account in a manner that applies the Red Flags Rule to virtually "any relationship to obtain a product or service that an account holder or customer may have with a financial institution or creditor," including many fiduciary, agency, custodial, business, consumer, brokerage and investment advisory accounts.

Required Elements of ID Theft Program. The Red Flags Rule requires financial institutions and creditors that offer or maintain covered accounts to develop and implement a written ID Theft Program to detect, prevent and mitigate identity theft and detect red flags for identity theft. Identity theft means a fraud committed or attempted using identifying information of another without authority.

A red flag is a pattern, practice or specific activity that indicates possible identity theft. An ID Theft Program must be appropriate to the size and complexity of the financial institution or creditor and its activities and operations. At a minimum, an ID Theft Program must: (i) identify relevant red flags for covered accounts and incorporate those red flags into the ID Theft Program; (ii) detect red flags that have been incorporated; (iii) respond appropriately to red flags that are detected to prevent and mitigate identity theft; and (iv) ensure the ID Theft Program (including the red flags determined to be relevant) is update periodically to reflect changes in risks and the safety and soundness of the financial institution or creditor.

Each financial institution or creditor must also provide for the continued administration of its ID Theft Program and obtain approval of its initial written program from either its board of directors or an appropriate committee of the board. The board, its designated committee or a designated senior management employee must be involved in oversight, development, implementation and on-going administration of the ID Theft Program. Lastly, financial institutions or creditors must train staff to implement the program, exercise effective oversight and develop and implement any revisions taking into consideration Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation (the "Interagency Guidelines").

Credit Cards Special Rule:
In addition to the requirements detailed above, special requirements apply to financial institutions or creditors that are card issuers. Card issuers must put in place procedures to address validation requirements to mitigate the risk of identity theft in connection with a change of address notification from a cardholder.

Under the Red Flags Rule, card issuers must establish and implement reasonable policies and procedures to assess the validity of a change of address request and any request for an additional or replacement card within a short period of time (e.g., the first 30 days) after a change of address.

Under such circumstances, card issuers may not issue an additional or replacement card until, in accordance with its address validation requirements, they: (i) notify the cardholder of the change of address request at the cardholder's former address or by any other means previously agreed-to by the cardholder and give the cardholder a reasonable means of reporting an incorrect address; or (ii) otherwise assess the validity of the change of address in accordance with the card issuer's ID Theft Program.