The final rules require each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program.

The federal financial institution regulatory agencies and the Federal Trade Commission have sent to the Federal Register for publication final rules on identity theft “red flags” and address discrepancies. The final rules implement sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003.

According to a report of the President’s Identity Theft Task Force, identity theft, defines as "a fraud attempted or committed using identifying information of another person without authority, results in billions of dollars in losses each year to individuals and businesses.

The final rules require each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program (Program) for combating identity theft in connection with new and existing accounts. The Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft and enable a financial institution or creditor to:

Identify relevant patterns, practices, and specific forms of activity that are “red flags” signaling possible identity theft and incorporate those red flags into theProgram;

-- Detect red flags that have been incorporated into the Program;

-- Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and

-- Ensure the Program is updated periodically to reflect changes in risks from identity theft.

The agencies also issued guidelines to assist financial institutions and creditors in developing and implementing a Program, including a supplement that provides examples of red flags.

The final rules are effective on January 1, 2008. Covered financial institutions and creditors must comply with the rules by November 1, 2008.

Although many companies that handle sensitive information are not covered by the rule, the FTC has, in the past, encouraged all companies to take reasonable steps to assure customer information has safeguards.