By December 2018, the Commission plans to initiate periodic review of the Identity Theft Rules, which include the Fed Flags Rule and the Card Issuer Rule.

The Red Flags Rule requires financial institutions and creditors to develop and implement a written Identity Theft Prevention Program. By identifying red flags for identity theft in advance, businesses can be better equipped to spot suspicious patterns that may arise--and take steps to prevent potential problems from escalating into a costly episode of identity theft. An Identity Theft Prevention Program must have four parts. First, the Program must include reasonable policies and procedures to identify signs or red flags of identity theft in the day-to-day operations of the business. Second, the Program must be designed to detect the red flags of identity theft identified by the business. Third, the Program must set out the actions the business will take upon detecting red flags. Finally, because identity theft is an ever-changing threat, a business must re-evaluate its Program periodically to reflect new risks from this crime.

The Card Issuer Rule requires credit and debit card issuers to implement reasonable policies and procedures to assess the validity of a change of address if it receives notification of a change of address for a consumer's debit or credit card account and, within a short period of time afterwards, also receives a request for an additional or replacement card for the same account.