What must a covered entity do regarding Red Flags Rule compliance?

The right approach is to put in place an identity theft detection and response program. Under the Red Flags Rule, covered entities must have a written plan to detect, prevent, and mitigate identity theft in connection with opening or maintaining covered accounts. This program should identify relevant red flags, establish procedures to detect them, and outline steps to respond to confirmed or suspected identity theft—such as verifying customer identity, monitoring for suspicious activity, notifying customers, changing account numbers, or involving law enforcement. It also requires ongoing updates to reflect changing risks and clear assignment of responsibility, along with staff training. The other options don’t fit because they don’t address detecting or responding to identity theft, and would either undermine privacy protections or involve sharing data in ways not required or permitted by the rule.