Q: If a financial institution or creditor detects Red Flags and, as a result, suspects that an applicant is an identity thief, what response do the Red Flags Rules require?
A: The Red Flags Rules state that the Program of a financial institution or creditor must include policies and procedures for appropriately responding to identity theft that are commensurate with the degree of risk posed. The Rules do not require a specific response to any particular situation but provide an illustrative list of appropriate responses. Appropriate responses to the situation described above could include not opening the account, filing a suspicious activity report (“SAR”) (for those financial institutions and creditors that are subject to SAR rules), notifying law enforcement, and/or contacting the customer whose identity has been stolen. See 12 C.F.R. § __.90(d)(2)(iii) and 16 C.F.R. § 681.2(d)(2)(iii).