Q: The Red Flags Rules require a financial institution or creditor to consider the Guidelines and adopt those that are appropriate. Does this requirement also apply to the list of red flags in the supplement to the Guidelines?
A: The preamble language in Supplement A provides only that a financial institution or creditor “may” consider incorporating into its Program the examples of red flags. There is no requirement that they do so. A financial institution or creditor may find that none or only some of these examples are relevant to its business. These examples also may only be relevant when combined or with other indicators of identity theft. The preamble language notes that a financial institution’s or creditor’s compliance with the rules will be determined based on the overall effectiveness of its Program, which must be appropriate to its size and complexity and the nature and scope of its activities, and not on whether the institution or creditor did or did not include specific red flags from the list of examples. Furthermore, these examples are not intended to be a comprehensive list of red flags.