Red Flag Rule: Background

Report home | Read the report (PDF) | Previous section | Next section


The Fair Credit Reporting Act (FCRA) as amended in 2003 requires the Federal Trade Commission and bank regulatory agencies to issue joint regulations and guidelines regarding the detection, prevention, and mitigation of identity theft. The requirement includes special regulations directing debit and credit card issuers to validate notifications of changes of address under certain circumstances. 15 U.S.C. § 1681m(e). Another FCRA amendment calls for additional joint regulations offering guidance regarding reasonable policies and procedures that a user of a consumer report (e.g., a credit grantor) should employ when the user receives a Notice of Address Discrepancy. 15 U.S.C. § 1681c(h).

These Red Flag and Address Discrepancy regulations were published in final form on November 9, 2007, 72 Fed. Reg. 63718 (Nov. 9, 2007). They are separate regulations. The mandatory compliance date for both rules is November 1, 2008, but the FTC delayed enforcement of its Red Flag rule until November 1, 2009. [4] Although six agencies issued common regulations, the regulations that will affect health care providers are those from the Federal Trade Commission. 16 C.F.R. Part 681. The Federal Trade Commission will also be the agency that enforces the rule for the health care sector.




[4] See <>.



Roadmap: Red Flag and Address Discrepancy Requirements – Suggestions for Health Care Providers: I. Background


Report home | Read the report (PDF) | Previous section | Next section