The FTC Red Flags Rule program details the types of businesses and organizations are required to participate. The program requires “financial institutions” and “creditors” (depending on their business activities) to conduct a periodic risk assessment to determine if they have “covered accounts.”
The determination will not be based on the industry or sector, but rather on whether a business’s activities fall within the relevant definitions. A business must implement a written program only if it has covered accounts, as defined by the FTC.
The Red Flags Rule defines a financial institution as a “state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or a person that, directly or indirectly, holds a transaction account belonging to a consumer.”
While many financial institutions are under the jurisdiction of the federal bank regulatory agencies or other federal agencies, state-chartered credit unions are one category of financial institution under the FTC’s jurisdiction.
Suspicious patterns or practices, or specific activities, provide “red flags” on the possibility of identity theft.