The Fair and Accurate Credit Transactions Act of 2003 requires certain financial institutions and creditors to implement an Identity Theft Prevention Program to detect and mitigate identity theft. The Red Flags Rule specifies that programs must include risk assessments, policies to identify and respond to red flags of identity theft, staff training, and oversight of service providers. Failure to comply can result in fines and legal action by regulators and state attorneys general.