DCU Bulletin
Red Flags Rule Compliance

April 21, 2009

NO: B-09-02

What is the "Red Flags Rule?"

On May 1, 2009, the Washington State Department of Financial Institutions (DFI), Division of Credit Unions (DCU) will include a new compliance factor when examining credit unions. Credit unions must comply with the federal “Red Flags Rule.”

The new compliance is the result of concern about identity theft. The federal government (Federal Trade Commission-FTC) developed the new rule to help financial institutions and others prevent and catch identity theft. All Washington state-chartered credit unions must include Red Flags compliance as part of their written policies and procedures.

What must a credit union do to comply?

Credit unions examined by DCU will be checked for Red Flags compliance as part of their regular or risk-based examinations. Compliance will be established by credit unions incorporating Red Flag procedures into their existing policies. Many credit unions already perform most or all of the Red Flag actions, as part of their Identity Theft Prevention Programs. The exact methods may differ among credit unions, and the rule must be read and reasoned through, in order to apply it appropriately to a particular credit union’s operations.

In summary, Red Flag Programs require at least the following:

• Each credit union must have reasonable policies and procedures to identify the “red flag” indicators of possible identity theft, which include suspicious patterns, practices or activities.
• A credit union’s Red Flag Program must be designed to detect the Red Flags relevant to that credit union’s operations.
• The Program must spell out the specific actions a credit union will take when Red Flags are detected.
• The Program must be periodically reviewed and updated by the credit union.
• The Program must be managed by the Board or senior employees, and include staff training.

Where can a credit union go for help with understanding and developing its Red Flag Program?

A useful “how-to” guide to the Red Flags Rule is available on the FTC website: http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus23.pdf

If you have questions about compliance with the rule, you may contact the FTC directly at RedFlags@ftc.gov.

Additional information can be found at the NCUA website: http://www.ncua.gov/letters/2008/CU/08-CU-24.doc.

The DCU does not provide individual credit unions with legal advice. If you need help developing and drafting an Identity Theft Prevention Program or policies and procedures for Red Flag Rule compliance for your credit union, you should contact your attorney.

If you have DCU enforcement questions, please contact Mike Delimont at 360-902-8753, mdelimont@dfi.wa.gov.