Q: Do the Red Flags Rules and Guidelines apply to the foreign branches of U.S. banks?
A: No. The FCRA, like many federal consumer protection laws, does not expressly address extraterritorial applicability. Because a foreign branch of a U.S. bank is not an entity located in the United States, the Red Flags Rules and Guidelines do not apply. This conclusion is consistent with a number of consumer protection regulations that exclude foreign branches of U.S. banks from coverage. See Regulation Z, Official Staff Commentary, 12 C.F.R. part 226, supplement I, § 226.1(c)-1; Regulation E, Official Staff Commentary, 12 C.F.R. part 205, supplement I, § 205.3(a)-2; Regulation M, Official Staff Commentary, 12 C.F.R. part 213, supplement I, § 213.1-1. Other regulations that impose customer information collection and verification requirements, such as the Customer Identification Program regulations implementing the USA PATRIOT Act, do not apply extraterritorially. See 31 C.F.R. § 103.121.
Nevertheless, as a matter of safety and soundness, financial institutions are strongly encouraged to implement an effective identity theft prevention program throughout their operations, including in their foreign offices, consistent with local laws.