The Identity Theft Red Flags and Address Discrepancy Rules require all users of credit reports to take certain actions whenever a credit report contains a notice of an address discrepancy. The rules also require all creditors, and those that regularly arrange for credit to be provided, to establish policies and procedures to protect against identity theft.

The final rules were published by all of the Federal banking agencies and the FTC on November 9, 2007, as part of a joint rulemaking.

Frequently Asked Questions About the Rules

Who is covered by the Identity Theft Regulations?

The Identity Theft Regulations consist of three different sets of requirements, and each set applies to different parties.

  • The first requirement deals with address discrepancies, and applies to all users of consumer reports.
  • The second group of requirements deals with identity theft prevention (the so called “red flags”) and applies to all financial institutions (such as a bank or thrift) and to all other “creditors”, including private mortgage lenders, who regularly and in the ordinary course of business:
    • obtain or use consumer reports in connection with credit transactions;
    • furnish information to consumer reporting agencies in connection with credit transactions; or o advance funds to or on behalf of a person, which there is an obligation to repay or is repayable from pledged property.
  • The third set of requirements applies to companies that issue credit or debit cards.

These questions and answers explain the address discrepancy rules requirements, but do not discuss the rules applicable to creditors and card issuers.

When did the regulations go into effect?

The joint final rules and guidelines became effective January 1, 2008. The mandatory compliance date for this rule was December 31, 2010. A change in the law on December 18, 2010, amended the definition of "creditor" to limit the circumstances under which creditors are covered.

Why did the Federal agencies issue these regulations?

Congress passed a law in 2003 (the FACT Act) that requires the Federal Trade Commission, the Federal Reserve Board, the Federal Deposit Insurance Corporation, the Comptroller of the Currency and the Office of Thrift Supervision (the Agencies) to issue joint regulations and guidelines regarding the detection, prevention, and mitigation of identity theft. This law also requires that these agencies identify patterns and practices that are associated with identity theft, so-called “red flags.”

Are real estate agents covered by these new rules?

If a real estate agent uses credit reports as part of his or her business, the real estate agent is required to comply with the address discrepancy provisions. If the real estate agent is a covered “creditor”, he or she also has to comply with the identity theft “red flag” requirements.

I use credit reports in my business. What am I required to do under the new address discrepancy regulation?

Any user of a credit report must develop a procedure designed to enable that person to reasonably determine that the information in the report relates to the customer or other party for whom the report was obtained, when the user obtains notice of an address discrepancy. In other words, if you obtain a credit report to determine the creditworthiness of a customer, and the report alerts you that there is an address discrepancy, you must have a policy and procedure in place to verify that the report relates to your customer and not another individual. In addition, if you have confirmed an accurate address for the customer, you must have a policy and procedure in place to forward that information to the consumer reporting agency.

If I receive a notice of an address discrepancy, what is an acceptable policy and procedure?

If you obtain a notice of an address discrepancy as part of a credit report, you must have a procedure to ensure that the credit report relates to your customer, and not another individual. An acceptable policy and procedure in that case could be that you will compare the other data in the credit report with the identification supplied by the customer, so that you can match date of birth, phone number, and employment information with the credit report data. Another policy and procedure would be to ask to the customer to review the report and verify that the information in the report relates to the customer’s credit history.

What is my obligation after I verify the correct address?

If you are able to verify the correct address for your customer, the regulations require that you communicate this information to the consumer reporting agency that sent you the notice of address discrepancy, but only if you usually furnish information about your customers to that agency.

What are the identity theft regulations applicable to certain creditors?

As noted previously, another set of requirements apply to financial institutions and certain other creditors. These regulations mandate policies and procedures to detect, prevent and mitigate identity theft, primarily through the identification of practices that are “red flags” for criminal behavior.

I am a real estate agent and I think I am a covered “creditor”. Where can I find more information on what I have to do under the red flags regulation?

The Federal Trade Commission has created a site to help businesses educate their staff and colleagues about complying with the Red Flags Rule. The site has information on who must comply and what must be part of a compliance program.

Where can I find the address discrepancy and red flags rules?

The rules are codified at 16 CFR Part 68. The rules were published in the FTC Rule in the Federal Register, 72 Fed. Reg.63718

Who can I call for more information about the address discrepancy and red flags regulations?

The FTC Bureau of Consumer Protection, Division of Privacy and Identity Protection, can be reached at (202) 326-2252.

Where can I find the rules?

FTC Rule in the Federal Register, 72 Fed. Reg.63718 (November 9, 2007)