Mortgage Concepts is a recurring video series covering best practices and compliance education for California mortgage loan originators. This video discusses the Red Flags Rule and identity theft protection. For course credit toward renewing your NMLS license, visit

As part of their professional duties, mortgage loan originators (MLOs) work with loan applications and credit reports on a regular basis.

This personal information is collected from applicants as a crucial part of arranging any mortgage. The information ensures that mortgage funds are disbursed to the correct person and actually secured by the subject property, all part of a mortgage lender’s risk management. Prudent processing of a mortgage origination requires a complete profile on the borrower and their ownership of the real estate which will be security for the mortgage debt.

However, identity theft poses a threat to the integrity of all mortgage originations. As the first point of contact with a borrower, MLOs are in perfect position to reduce these risks.

The Red Flags Rule was developed by the Federal Trade Commission (FTC) to mitigate identity theft risks borrowers of mortgages are exposed to when a mortgage is made or arranged by MLOs.

Proprietary and corporate brokers who engage in MLO activities need to implement written procedures and checklists for screening mortgage applications, known as an Identity Theft Prevention Program (ITPP). The procedures are required to help MLOs adequately detect suspicious activity and indications of potential fraud, called “red flags,” in mortgage applications and other documents provided by an applicant. [15 United States Code §1681 et seq.]

Implementation of written procedures for detecting suspicious activity requires the MLO business operation to:

  • screen mortgage applications and related documents for typical signs of fraud and identity theft; and
  • protect the personal information of applicants and, if servicing mortgages current borrowers from identity theft.

MLOs are subject to the Red Flags Rule when, in their course of making or arranging mortgages, they also:

  • obtain or review credit reports relating to any type of mortgage origination;
  • provide information to credit reporting agencies; or
  • advance mortgage funds themselves — whether from their own funds or under a warehouse line of credit — or on behalf of a lender. [15 USC §1681m(e)(4)]

The rule initially targets MLOs who make, arrange or service mortgages which fund primarily personal, family or household purposes, called consumer mortgages. However, those who also make or arrange business mortgages are also required to create procedures to prevent fraud when the mortgages they make present a reasonably foreseeable risk of identity theft, such as those that may result from data accessible by telephone or the internet. Citation: [16 CFR §681.1(b)(3)]

Nonetheless, as good business practice and risk management, all MLOs are advised to implement procedures for reviewing mortgage applications and detecting suspicious activity, regardless of the level of risk they determine exists.
In addition to following their own written procedures, MLOs acting as service providers for a lender also need to follow any procedures imposed by the lender as part of its security requirements for detecting mortgage fraud. [16 CFR §681, Appendix A(VI)(c)]

Further, all MLOs are uniformly required to have policies for verifying a borrower’s identity upon receiving an address discrepancy alert from a credit reporting agency. Citation: [16 CFR §641.1]

To determine what type of activity is suspicious and may indicate fraud, MLOs are required to gauge the risk factors present in the mortgages they originate, including:

  •  the types of mortgages offered;
  •  methods used to make and access mortgages; and
  •  their previous experience with identity theft and fraud.  [16 CFR §681 Appendix A(II)(a)]

They may draw from past incidents of identity theft, any changes in identify theft risks they have identified, supervisory guidance given about what type of activity is suspicious or new methods used by fraudulent applicants.

The use of a checklist containing activity identified as suspicious is required to determine whether an applicant’s information indicates fraud. However, the content of the list will vary by company and is to be set out in writing by each MLO company.

Activity that may be added to the checklist as indications of fraud include:

  • alerts or warnings from credit reporting agencies or service providers, such as fraud detection services;
  • suspicious documents that appear to be altered or forged;
  • suspicious personal identifying information, such as a peculiar address change;
  • unusual activity related to a mortgage; and
  • notice from borrowers, victims of identity theft, law enforcement or other persons regarding potential identity theft related to a mortgage. [16 CFR §681, Appendix A(II)(c)]