Skip to main content
Information Notice - 7/1/09

New FTC Red Flags Rule Template

Published Date:

Note: FTC's Red Flags Rule Enforcement began Jan 1, 2011. On July 21, 2011, the Dodd-Frank Act transferred responsibility for identity theft red flag rules and guidelines to the SEC and CFTC for the entities they regulate. On February 28, 2012, the SEC and CFTC jointly proposed for comment red flag rules and guidelines that are substantially similar to the FTC’s and do not propose new requirements or cover new entities. The comment period closed May 7, 2012.

FINRA has developed a new, optional template that firms may use as a guide when fulfilling their requirements under the Federal Trade Commission's (FTC's) Red Flags Rule. The Red Flags Rule, which implements obligations imposed by the Fair and Accurate Credit Transactions Act of 2003 (FACT Act), requires specified firms to create a written Identity Theft Prevention Program(ITPP) that is designed to identify, detect and respond to "red flags"—patterns, practices or specific activities—that could indicate identity theft.

If a firm chooses to use this template as a guide, it must adapt it to reflect the individual firm's business situation. Without such analysis and modification, the firm's ITPP will not comply with regulatory requirements.

The Red Flags Rule requires firms to prepare an ITPP if they are either a "financial institution" or a "creditor" and offer "covered accounts." FINRA anticipates that most member firms will be required to prepare an ITPP under the Red Flags Rule. Even if it does not have to prepare an ITPP now, a firm must have internal controls to periodically review its operations and prepare an ITPP if it later becomes a financial institution or creditor that offers covered accounts. See Regulatory Notice 08-69 for details.

The FTC Red Flags Rule template is available at www.finra.org/customerprotection/redflags. For more information on the FACT Act, see the Federal Register notice at www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf.

Questions about this Notice may be directed to:

  • John Komoroske, Vice President, Member Relations, at (202) 728-8475; or
  • Patricia Albrecht, Assistant General Counsel, at (202) 728-8026.

Questions about complying with the FTC Red Flags Rule may be directed to [email protected].

Note: FTC's Red Flags Rule enforcement began Jan 1, 2011. On July 21, 2011, the Dodd-Frank Act transferred responsibility for identity theft red flag rules and guidelines to the SEC and CFTC for the entities they regulate. On February 28, 2012, the SEC and CFTC jointly proposed for comment red flag rules and guidelines that are substantially similar to the FTC’s and do not propose new requirements or cover new entities. The comment period closed May 7, 2012.