Have You Heard About the Red Flags Rule?

How many business owners know of the existence of the Red Flags Rule? My guess is not a lot. The Red Flags Rule, which has been in effect since January 1, 2008, is “an anti-fraud regulation, requiring ‘creditors’ and ‘financial institutions’ with covered accounts to implement programs to identify, detect, and respond to the warning signs, or ‘red flags,’ that could indicate identity theft.” However, enforcement of the Rule has been delayed several times and has currently been delayed to June 1, 2010. For the purpose of this summary, I will only address the rule as it applies to “creditors”.

Although the enforcement has been delayed once again, you still need to know how enforcement of the rule affects your business. If you are considered a creditor under the rule and have a covered account, you need to develop, implement and administer an identity theft program. The definition of creditor is key because it is a definition that might not be considered in every day usage. Whether the rule applies to your business does not have to do with your industry, but whether your activities fall under the purview of the rule.

The rule has more than one definition of creditor but for the purpose of this summary I will only look at one. Creditor is defined broadly and includes “businesses or organizations that regularly defer payment for goods or services or provide goods or services and bill customers later.” Whether your company falls within the definition of “creditor” depends on how and when you collect payment for your services.

Even though you are considered a creditor under the rule, you do not have to implement the identity theft programs unless you have covered accounts. By looking at your existing and new accounts, you must determine whether your accounts fall within any of the two categories of covered accounts. That is, a consumer account or “ ‘any other account that a financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.’ ”

If your business fit the definition of a creditor and you have covered accounts, you must comply with a four step process which includes identifying relevant red flags, detecting red flags, preventing and mitigating identity theft and updating your program.

Note: This brief summary was compiled with information taken from the Federal Trade Commission, Fighting Fraud with The Red Flags Rule – A How to Guide for Business. It is not intended as legal advice and you should check out the FTC’s website at http://www.ftc.gov/redflagsrule to get more information on how this rule applies to your business.