On December 11, 2018, the Commission initiated periodic review of the Identity Theft Rules, which include the Red Flags Rule and the Card Issuer Rule. The public comment period closed on February 11, 2019, and staff is reviewing the comments. Staff plans to submit a recommendation to the Commission by December 2023.

The Red Flags Rule requires financial institutions and creditors to develop and implement a written Identity Theft Prevention Program. By identifying red flags for identity theft in advance, businesses can be better equipped to spot suspicious patterns that may arise and take steps to prevent potential problems from escalating into a costly episode of identity theft. An Identity Theft Prevention Program must have four parts. First, the program must include reasonable policies and procedures to identify signs or red flags of identity theft in the day-to-day operations of the business. Second, the program must be designed to detect the red flags of identity theft identified by the business. Third, the program must set out the actions the business will take to detect red flags. Finally, because identity theft is an ever-changing threat, a business must re-evaluate its program periodically to reflect new risks from this crime. 

The Card Issuer Rule requires credit and debit card issuers to implement reasonable policies and procedures to assess the validity of a change of address if it receives notification of a change of address for a consumer's debit or credit card account and, within a short period of time afterward, also receives a request for an additional or replacement card for the same account.