CRFS Certification Overview and Curriculum

CRFS identity theft certification
CRFS identity theft certification

The Certified Red Flag Specialist (CRFS)® program is a workplace identity theft prevention and fraud detection certification administered by Identity Management Institute (IMI) to train and certify employees, consultants, and auditors of companies affected by rising identity theft risks and validate their fraud prevention skills through an independent examination.

CRFS was developed based on the comprehensive identity theft prevention standards and guidelines proposed by the Red Flags Rule regulation of the United States.

Why Become a CRFS

Data breach incidents and compromised personal information increase identity theft risks for any company where the opportunity for fraud exists. Therefore, companies must have plans and knowledgeable staff to prevent identity fraud regardless of how or where potential victims’ personal information was obtained. CRFS professionals pick up where data security practices fail.

There are many regulations, standards, and guidelines for protecting consumers’ private information. However, when such efforts fail and millions of consumer information fall into the wrong hands, businesses must have qualified staff to detect identity theft warning signs (red flags) in their daily business operations to prevent fraud and minimize losses.

The Certified Red Flag Specialist (CRFS) designation demonstrates that an individual is familiar with workplace identity fraud detection and prevention techniques and knows how to develop, maintain, and support an identity theft prevention program for mitigating identity fraud risks within an organization.

We believe that if professionals follow the best industry practices for identity theft risk management outlined in the CRFS study guide, they can prevent identity fraud and comply with local and international laws.

Who should become a CRFS?

Many individuals contribute to a company’s identity theft prevention efforts and must consider becoming a Certified Red Flag Specialist (CRFS). Such professionals include risk oversight members, managers, employees, consultants, examiners, compliance officers, and auditors of organizations facing identity theft risks including but not limited to:

  • Banks,
  • Mortgage brokers,
  • Finance companies,
  • Investment firms,
  • Insurance companies,
  • Healthcare providers,
  • Automobile dealers,
  • Utility companies, and
  • Telecommunications companies.

Employees who create new accounts and manage existing accounts may face identity thieves and fraud in their daily job duties. These professionals can help identify, detect, and respond to identity theft red flags. Such employees may be the weakest link in the battle against identity theft if they lack proper education and skills, therefore, they must be given special attention with adequate training to ensure they follow the established policies and procedures to prevent identity theft.

Identity Theft Management Framework

CRFS professionals are trained identity protection professionals who can detect identity theft red flags. Below is an identity theft management framework developed by Identity Management Institute to demonstrate how identity protection and fraud management tasks are interrelated:


Critical Risk Domains™

The Certified Red Flag Specialist (CRFS) Critical Risk Domains (CRD) are areas defined by IMI to a) identify the knowledge areas that a CRFS must possess to effectively develop, implement, and maintain an Identity Theft Prevention Program, and b) test the candidate’s understanding of the risks and knowledge of preventive, detective and corrective controls necessary for effectively managing identity theft risks. The CRFS CRDs described below are used for training and certifying candidates:

  1. Identity Theft Overview
  2. Risk Assessments
  3. Identity Theft Red Flags
  4. Identity Theft Prevention Program
  5. Layered Security Controls

Identity Theft Overview: To be successful in preventing identity theft, certified professionals must understand the identity theft crime including threats to their organizations and customers, various types of identity theft, criminal motivations, consequences and impact of identity theft, latest industry trends, and available solutions.

Risk Assessments: An initial risk assessment must be completed by CRFS professionals to identify the scope of the identity theft prevention program and how identity theft might occur within the organization. Each company must identify the specific red flags within its operations based on a comprehensive risk assessment. Subsequent and periodic risk assessments are also necessary to ensure that the identity theft prevention program is updated and reflects changes in identity theft risks facing their companies and customers.

Identity Theft Red Flags: Upon discovery of all identity theft red flags in the risk assessment process, CRFS professionals must develop the necessary policies and procedures to help the organization prevent, detect, and respond to identity theft.

Identity Theft Prevention Program: An identity theft prevention program must be properly designed and implemented to ensure policies and procedures are documented and communicated to all appropriate employees. The Program must also be properly administered to ensure it addresses approval and oversight, scope, objectives, responsibilities, status reporting, and timing of various important tasks. The Program must also specify plans for periodic updates, employee training, and service provider oversight.

Note: lessons learned from company operations and industry incidents are part of a comprehensive risk management process which must be analyzed, reflected in the Program updates, and communicated to all appropriate staff.

Layered Security Controls: Layered security is characterized by using different controls at different points in a transaction process so that the strength of another control compensates for the weakness of a control. Layered security can substantially strengthen the overall security of transactions to protect sensitive customer information, prevent identity theft, and reduce account takeovers and the resulting financial losses and impact on consumer reports.

Certification Requirements

The CRFS certification can be obtained through formal training and examination. Candidates may prepare for the exam with a self-study guide or group training administered by IMI. The basic requirements for becoming a CRFS include 1) being a member of the Identity Management Institute, and 2) passing the exam.

CRFS professionals must obtain continuing education and renew their membership annually to stay current with the latest identity theft threats, requirements, and solutions, and keep their certification active.

Exam Format

The online exam includes 100 multiple-choice questions and results are shared with candidates immediately upon exam submission. 70 questions or more must be answered correctly within a 90-minute timeframe to pass the exam and there is no penalty for guessing. The exam can also be administered onsite following group training.

CRFS Certification Process and Cost

Please refer to the CRFS certification page for additional details and to submit an enrollment application. Click below to learn more and enroll.

CRFS identity theft certification