Identity Theft Red Flag Rules

CU Rx will perform a risk assessment based on:

  • The type of accounts and products offered
  • Interviews with staff
  • Assessment of current mitigation strategies and procedures in place related to identity theft

Based on the risk assessment, CU Rx will tailor an ID Theft Red Flag Program that:

  • Identifies patterns, practices, and specific activities that indicate the possible existence of identity theft and the necessary mitigation strategy for each
  • Includes staff training to ensure all employees understand the Program and their responsibilities. 

Identity theft has become more prevalent, and as a result, the NCUA and FTC jointly issued Identity Theft Red Flag Rules requiring credit unions and creditors with covered accounts to develop and implement written identity theft prevention programs. The rule also requires issuers of credit cards and debit cards to assess the validity of notifications of changes of address. The programs must provide for the identification, detection, and response to patterns, practices, or specific activities – known as "red flags" – that could indicate identity theft. CU Rx reviews your credit union's Identity Theft Red Flag program and procedures. From there, we'll develop or update your written plans to ensure your members are protected. We also provide training for your staff as needed to ensure compliance.

The National Credit Union Administration (NCUA), Federal Trade Commission (FTC) and other financial institution regulators issued joint guidance requiring each financial institution or creditor to develop and implement a written Identity Theft Prevention Program to detect, prevent, and mitigate identity theft in connection with the opening of certain accounts or certain existing accounts.

The implementing rules also require credit and debit card issuers to assess the validity of notifications of changes of address under certain circumstances. Summarily, the joint rules provide guidance regarding reasonable policies and procedures that will help identify “red flags,” which are patterns, practices, or activities that indicate the possible risk of identity theft, along with rules requiring financial institutions and other creditors to implement the guidelines. 

The guidelines list a number of “red flags” including:

  • The existence of fraud alerts
  • Altered and inconsistent information
  • Account use that fits a pattern of fraud
  • Notifications of unauthorized charges or fraudulent account charges
  • Attempts to access accounts by unauthorized users

The rules allow for a risk-based, flexible approach that requires financial institutions and creditors to develop a program that is appropriate to the size and complexity of the institution, as well as the nature and scope of its activities.