Q: What is the relationship between the information security standards issued by the Agencies and the Red Flags Rules and Guidelines?
A: The information security standards help to reduce identity theft (“a fraud committed or attempted using the identifying information of another person without authority”) by keeping individuals’ sensitive data from falling into the hands of an identity thief. The information security standards require financial institutions to have reasonable policies and procedures that are designed to safeguard customer information and protect it from unauthorized access or misuse and to ensure the proper disposal of customer and consumer information.
By contrast, the Red Flags Rules and Guidelines seek to ensure that financial institutions and creditors are alert for signs or indicators that an identity thief is actively misusing another individual’s sensitive data, typically to obtain products or services from the institution or creditor. The Red Flags Rules require financial institutions and creditors that offer or maintain “covered accounts” to have policies and procedures to identify patterns, practices, or activities that indicate the possible existence of identity theft, to detect whether identity theft may be occurring in connection with the opening of a covered account or an existing covered account, and to respond appropriately.