Is Your Business Subject to the FTC Red Flags Rule?

A growing number of Americans are victimized by identity theft each year. With the increase of online financial activity, cyber thieves are stealing millions of dollars annually with the threat continuing to grow at an alarming rate. To help fight identity theft, the Federal Trade Commission (FTC) recently implemented the Red Flags Rule. Identity Theft

What is the Red Flags Rule? The Red Flags Rule is a directive enforced by the FTC in conjunction with several other agencies to ensure that businesses whose normal activities pose a risk of their customers having their identities stolen implement a prevention process designed to detect certain “red flags”. Once detected, there must also be a process in place that involves taking steps to prevent the theft from happening and reduce the damage inflicted. In other words, businesses covered under this rule are directed to look for “suspicious patterns” and when detected, stop the transaction before it results in a customer’s funds being stolen.

Which Businesses are covered by the Red Flags Rule: There is some confusion around what businesses are required to implement a procedure to comply with the Red Flags Rule. According to the FTC, financial institutions and “some creditors” must follow this rule. However, their definition of creditor is based on the business model and what type of regular business you conduct. If you regularly:

  • Obtain or use credit reports when granting credit to a customer.
  • Submit reports to credit reporting agencies in connection with a customer transaction.
  • Advance secured credit to customers that use funds or property as collateral.

Then you are considered a covered creditor according to the FTC.

It is important to note that if you only “occasionally” engage in the above activities, then it is likely that you are not required to comply with the Red Flags Rule. Also, if you advance credit without pulling a credit report or pull a credit report that is not related to a credit transaction, then you are probably not required to comply with the Rule.

Some examples of businesses that would NOT necessarily be required to comply with the Red Flags Rule include:

  • Businesses that provide a product and/or render a service and bill the customer at the end of the month.
  • Businesses that accept credit cards as a method of payment.
  • Businesses that pull a credit report to screen an applicant for employment or housing.

Business models do change, so it is a good idea to review your processes regularly to find out if you need to comply with the Red Flags Rule. If you are unsure if you meet the requirements for compliance, speak to your local business account for more information and guidance.

Scroll to Top