What is the Red Flags Rule?
Disclaimer: This article is for educational purposes only and does not constitute legal, tax, or financial advice. Federal and state regulations change frequently. Consult a qualified attorney, CPA, or licensed professional before making decisions based on regulatory requirements discussed here.
The Red Flags Rule is a federal regulation under the Fair and Accurate Credit Transactions Act (FACTA) that requires financial institutions and creditors to develop and implement written identity theft prevention programs. The program must include procedures to identify "red flags" (warning signs of identity theft), detect them in day-to-day operations, respond appropriately to prevent or mitigate theft, and update the program periodically.
The Red Flags Rule applies to any business that regularly extends credit or arranges for others to extend credit. For real estate, this includes mortgage lenders, property management companies that bill tenants, and potentially real estate investors who offer seller financing or lease-to-own arrangements.
Who must comply
The rule uses a broad definition of "creditor" that goes beyond traditional lenders. Any entity that regularly participates in a credit decision or obtains or uses consumer credit reports is potentially covered. Property management companies are included because they effectively extend credit to tenants (services are provided before monthly rent is collected). Real estate brokerages may be covered if they participate in arranging financing.
Individual investors who occasionally provide seller financing may not be covered, but investors who regularly offer financing, operate property management businesses, or run rent-to-own programs should evaluate their compliance obligations.
Common red flags in real estate
The FTC and federal banking agencies have identified 26 categories of red flags. Those most relevant to real estate include: documents that appear altered or forged, personal identifying information inconsistent with information on file, unusual activity on a tenant or buyer account, notices from identity theft victims or law enforcement, and credit reports that indicate fraud alerts or inconsistent addresses.
Specific real estate scenarios where red flags may appear: a rental applicant whose Social Security number does not match their name, a buyer providing income documentation with inconsistencies, a tenant who suddenly disputes charges they previously acknowledged, or a mortgage applicant whose employer cannot verify their employment.
Creating an identity theft prevention program
A compliant program has four elements: (1) identify relevant red flags based on your business activities, (2) detect red flags by implementing verification procedures, (3) respond to detected red flags with appropriate actions (additional verification, declining the transaction, notifying the victim), and (4) update the program based on experience and evolving threats.
For property managers and real estate companies, this typically means: verifying applicant identity with government-issued ID, cross-referencing application information against credit reports, training staff to recognize inconsistencies, and establishing procedures for responding when identity theft is suspected.
Enforcement
The FTC enforces the Red Flags Rule for non-bank entities (including real estate companies). The Federal Reserve, OCC, and FDIC enforce it for banking institutions. Penalties for non-compliance can include civil penalties up to $2,500 per violation, with additional amounts for patterns of violations. More importantly, inadequate identity theft prevention can result in financial losses and liability to victims.