Identity Theft Red Flags

Quick Answer

Regulation S-ID requires a firm that offers or maintains covered accounts to establish a written Identity Theft Prevention Program. The program identifies, detects, responds to, and periodically updates relevant red flags, which are patterns, practices, or activities indicating possible identity theft. It also requires approval, oversight, training, and service-provider oversight.

Regulation S-ID and Red Flags

Regulation S-ID is the identity-theft red flags framework. A red flag is a pattern, practice, or specific activity that indicates possible identity theft.

A firm that offers or maintains covered accounts establishes a written Identity Theft Prevention Program.

The Identity Theft Prevention Program

The program is designed to manage relevant red flags through a continuing cycle:

Program functionWhat it does
IdentifyFinds relevant identity-theft red flags
DetectRecognizes red flags when they occur
RespondAddresses detected red flags
Periodically updateKeeps the program current as relevant red flags change

The program also has governance requirements:

  • Approval
  • Oversight
  • Staff training
  • Service-provider oversight

Identify -> detect -> respond -> periodically update.

Exam Tip: Gotchas

  • Regulation S-ID concerns possible identity theft involving covered accounts. It is not the general privacy-and-safeguarding framework.
  • Regulation S-P concerns privacy and safeguarding of customer information; Regulation S-ID concerns detecting, preventing, and mitigating identity theft.

Think of it this way: Regulation S-P controls the privacy of the information. Regulation S-ID uses warning signals to help a firm spot and address possible misuse of an identity.