Data Privacy Red Flags Every Business Owner Should Know

According to the Federal Trade Commission (FTC), its Consumer Sentinel Network received 4.7 million reports in 2020.

The top 3 reports were:

  1. Identity Theft
  2. Imposter Scams
  3. Online Shopping and Negative Reviews
FTC Consumer Sentinel Network top 3 reports

Among these, the FTC received 1.4 million identity theft reports alone, which was almost double as many reports as in 2019.

What is Identity Theft and Why Scammers Want to Steal Your Personal Information?

Simply put, identity theft is any type of fraud that identity thieves will use to steal someone's personal information, including:

So why do scammers want to steal your personal info?

There are a couple of reasons (and we go into them deeper in this article) but, in general, it is to either use this information for their own purposes, or to sell the information to someone else.

In fact, a study from 2017 showed that almost any piece of personal data can be sold for a price on the dark web.

How much is your personal information worth on the dark web?

For instance, according to the report, credit card information can be bought by as low as $5 and up to $110 and login information (username and password) for online payment services such as PayPal go between $20 and $200 each.

Red Flag Rules - How They Help Financial Institutions to Create an Identity Theft Prevention Program?

In order to help consumers deal with identity theft, the United States Congress amended the Fair Credit Reporting Act (FCRA) to require certain federal agencies, including the Federal Trade Commission (FTC), to adopt Red Flag Rules and guidelines for identity theft.

The "Red Flag Rules" went into full effect on 1st November, 2009.

So what are the Fair and Accurate Credit Transactions Act: Red Flag Rules and who do they apply to?

The Red Flag Rules is a guideline that an organization, such as a financial institution, can use to establish, carry out and oversee an identity theft prevention program.

This program must have four key elements:

  1. Reasonable policies and procedures to detect identity theft red flags in the organization's day-to-day operations
  2. The ability to detect red flags that you've identified already
  3. Explaining the necessary actions to take once the red flag is detected
  4. How to update the program to deal with new and emerging threats

Who Do the Red Flag Rules Apply to?

Any financial institution or that creditor that falls under the Fair Credit Reporting Act is subject to the Red Flag Rules.

This includes:

Financial Institutions

This includes any entity regulated by the Securities and Exchange Commission (SEC) that holds a transaction account that belongs to an individual.

This can be:


A creditor is any entity that advances or loans money to others. However, not all creditors fall under the FACTA Red Flag Rules.

This depends on answering the following questions:

Does the business or organization regularly:

  1. Bill customers or postpone payment for products and services?
  2. Grant or in any other way arrange credit?
  3. In any way share in the decision to renew, extend or otherwise set the terms of credit to the consumer?

If you answered "No" to all of the above, then the Red Flag Rules do not apply to your organization.

However, if you answered "Yes" to just one or more, then the follow-up question is:

Does my business or organization regularly and in the ordinary course of business:

  1. Obtain or otherwise use consumer reports in any connection with a credit transaction?
  2. Give credit reporting companies information regarding credit transactions?
  3. Send funds to or for someone who must repay them at a later date?

If the answer to all of these is again "No", the Red Flag Rules definitely do not apply to your organization.

But, if the answer to one or more questions is a "Yes", then you are covered by the Rule.

Covered Accounts

In addition to financial institutions and creditors, the Red Flag Rules also apply to two types of accounts.

These are called "Covered Accounts" and they fall into two categories:

  1. Consumer accounts that involve or allow multiple payments and transactions
  2. Any other account for which there's a reasonable and foreseeable risk of identity theft to the consumer and that is maintained by a financial institution or a creditor.

How to Comply With Red Flag Rules?

The FTC recommends using a 4-step process to comply with the Red Flags Rules, which includes"

Step 1: Identify Red Flags Relevant to Your Financial Institution

Not all red flags will apply to you. To identify red flags that might be relevant to your business, you need to consider:

  1. What types of covered accounts do you maintain or offer and their risk factors
  2. The different sources (online or offline) of red flags, including new techniques and technologies that scammers might employ to steal information
  3. The different categories of red flags. These can be:

Step 2: Detecting Red Flags

Once you've identified any red flags that are relevant to your business, the next step is to create the procedures and policies that will help you in detecting them.

For example, you might use certain software or programs that help you verify user identity and authenticate them, or ones that can monitor transactions. These tools can help you create appropriate responses for both:

1) New Accounts

In case of consumers opening, say, new savings accounts, they might go through a procedure that involves stating their name, address and some identification. On the other hand, your organization must correlate the information they've given you to a government-issued ID, passport, or other such documents, or to compare the information with consumer reporting agencies, credit reports services or another source.

2) Existing Accounts

As for existing accounts, your organization's identity theft prevention program should have clear procedures to verify the identity of the person you are dealing with, monitor transactions and verify the validity of any change-of-address requests.

Step 3: Respond to Identity Theft

As the red flag is identified and detected, the next step is to respond to it and prevent or mitigate identity theft.

This will largely depend on the level of risk the identity theft poses for your organization and the consumer themselves, but some of the responses include:

Step 4: Conduct Periodic Risk Assessment and Update the Program as Needed

Finally, as new technologies and threats emerge, financial service providers shouldn't consider that once they have a written identity theft program in place will be enough for good.

Instead, you must periodically assess your risks and update the program to reflect new techniques and technologies that identity thieves might use.


Fighting identity theft is a crucial part of data protection and necessary for any financial institution or creditor that wants to prevent data breaches.

We hope this article will help you prevent and mitigate identity theft threats in your organization as well.

Finally, do not forget that you can signal identity theft if you detect it to the FTC here and protect your credit card accounts and other personal information you have with financial institutions and creditors.