Attorney General Becerra Calls on FTC to Maintain and Strengthen Identity Theft Rules

Monday, February 11, 2019
Contact: (916) 210-6000,

SACRAMENTO – California Attorney General Xavier Becerra, as part of a coalition of 31 state attorneys general, responded today to the Federal Trade Commission’s (FTC) recent request for public comment concerning its review of the Identity Theft Rules that require financial institutions and some creditors to detect signs of identity theft. The coalition’s letter describes the continued need for the existing rules and offers recommendations for updates that protect their relevance.

“The Federal Trade Commission helps protect consumers’ personal information and should continue to ensure banks do their part to stop identity theft,” said Attorney General Becerra. “We urge the FTC to update its current Identity Theft Rules to help banks and creditors keep up with new and ever-changing technology to stop identity thieves in their tracks.”

The comment letter responds to the FTC’s request for public input on its regular review of current regulations and guides. The Identity Theft Rules, also known as the “Red Flags Rule,” require certain entities to detect, prevent, and mitigate identity theft. These entities have the ability to stop a fraudulent account from being opened or to notify a consumer of a change of address in conjunction with a request for an additional or replacement card, both strong indicators that the account may have been taken over by an identity thief.

In the letter, the coalition recommends updates to the Identity Theft Rules that ensure continued relevance with changes in technology, including:

  • Card issuers should verify email addresses, cell phone numbers, or other means of communication when such changes are followed by request for an additional or replacement card, amending the existing requirement of an assessment of validity only after a change of address;
  • Best practices should include multi-factor verification, a more secure method than knowledge-based authentication questions given that answers may be available elsewhere online or already compromised from a previous data breach; and
  • Examples of  “red flags” for unauthorized account use should include access by new and previously unknown devices, several unsuccessful attempts to input a correct password, and devices using international IP addresses to access multiple accounts.

The response is the latest of Attorney General Becerra’s ongoing efforts to strengthen and maintain consumer protections by the FTC. In October 2018, Attorney General Becerra – with a coalition of 12 state attorneys general – presented recommendations to the FTC to advance antitrust enforcement and consumer protection.

A copy of the letter can be found here.


# # #