(301) 760-7604

Red flag rules

Compliance With FTC Identity Theft Legislation

Ideal for


Legal Background

The Red Flags Rule was established by the U.S. Federal Trade Commission (FTC), based on the 2003 Fair and Accurate Credit Transactions Act (FACTA). This law requires the establishment and maintenance of a program to identify, detect, prevent, and mitigate identity theft for “covered accounts” in day-to-day operations for both financial institutions and creditors. This definition is loose enough to apply to a wide range of companies that hold “transaction accounts” belonging to a consumer, such as brokerage firms or mutual funds, banks, savings and loan associations, mutual savings banks, credit unions, and even public utilities.

Path to Compliance

The path to successful Red Flags compliance is a four-part process:

  1. Identify: Institutions must identify likely business-specific identity theft “red flags”
  2. Detect: Institutions must define procedures to detect Red Flags in day-to-day operations
  3. Prevent and mitigate: Institutions must define actions to take when red flags are identified
  4. Maintain: Institutions must define how their Red Flags program will be maintained and updated

Penalties and Risks

While there are presently no criminal penalties for breach of Red Flags requirements, the FTC may impose a fine of $2,500 per individual incident (customer or transaction), in addition to state penalties of $1,000 per individual incident (customer or transaction, plus attorney’s fees). After receiving an initial regularly warning for non-compliance, organizations may be fined up to $11,000 per individual incident. For organizations with tens or hundreds of thousands of customers, a wide-spread breach may be financially disastrous — as well as extremely damaging to your company’s reputation.

Policy Definition

Aerstone can work with your organization to develop the necessary privacy and security policies, and conduct the necessary staff training, that will ensure full compliance with FTC Red Flags requirements. Our application testing services can also help ensure the security posture of your public-facing systems, so that all your sensitive customer information is properly protected.

Our Experience Sets Us Apart

Aerstone is an NSA-certified vulnerability assessor, and a service-disabled veteran-owned small business.

We approach each engagement with the highest levels of professionalism, determination, and creativity, honed by years of working with security professionals across the military, intelligence community, civilian government, and private industry.

More Products

PCI Compliance
Aerstone is a PCI Qualified Security Assessor

FERPA Compliance

Privacy Assessments for Education


CMMC Readiness Assessments for DoD Contractor Companies


Connect with Aerstone's cybersecurity experts today.

Let us know what you’re interested in and we’ll get back to you within 24 hours.