Is Your Company Subject to the ”Red Flags Rules?”

June 17, 2009

UPDATED: January 5, 2011
UPDATE: Beginning December 31, 2010, the Red Flags Rules are now in effect, with the Federal Trade Commission (FTC) gearing up enforcement activity for a narrower group of businesses than originally expected. On December 18, 2010, the Red Flag Program Clarification Act of 2010 was signed into law [1], clarifying that certain businesses are not within the scope of the Rules. Attorneys, accountants, physicians, dentists and other healthcare professionals, and other small businesses are no longer subject to enforcement actions. After two years of confusion, the FTC will now begin to enforce the law for those businesses that do need to comply.

The Red Flag Program Clarification Act of 2010 amends the Fair Credit Reporting Act, with respect to federal agency (red flag) guidelines regarding identity theft and the users of consumer reports. “Creditors” under the Red Flag Rules are now limited to those who regularly and in the ordinary course of business:

  1. Obtain or use consumer reports, directly or indirectly, in connection with a credit transaction;
  2. Furnish information to certain consumer reporting agencies in connection with a credit transaction; or
  3. Advance funds to or on behalf of a person, based on the person’s obligation to repay the funds or on repayment from specific property pledged by or on the person’s behalf (but this does not include any creditor “that advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person”).

It also includes in the definition of “creditor” any other type of creditor as the federal agency (banking agency, National Credit Union Administration, or the FTC) having authority over that creditor may determine appropriate, if the creditor offers or maintains accounts subject to a reasonably foreseeable risk of identity theft. This does allow for flexibility for the FTC to expand the reach of these rules in the future by requiring other types of creditors to comply.

What are the Red Flags Rules?
Identity theft is a growing problem, and new federal regulations aim to help spot the problem before it causes major damage to both the victim and to businesses. Businesses suffer by absorbing unpaid bills run up by the thieves and by racking up transaction costs in helping customers sort out the mess.

The “Red Flags Rules” (the “Rules”) are a set of regulations that require certain businesses to adopt programs designed to prevent identity theft, and to detect it early when it does occur. The Rules are enforced by the FTC and are part of the Fair Credit Reporting Act. [2] Businesses should determine if the Red Flags Rules, or “FACTA,” applies to them; and, if it does, take the required actions.

The Red Flags Rules have been in effect since 2008, and practices are expected to be in compliance. But the FTC delayed enforcement actions under the Rules until December 31, 2010. The FTC recognized that small businesses (and most businesses of any kind that are subject to the rules) need extra time to educate themselves, develop and implement their Red Flag Rules procedures and comply with the law. The FTC indicated it is sensitive to the economic pressures of small businesses, and that it plans to continue to work with trade organizations and businesses to ensure that compliance with the Rules will not place an undue burden on small businesses.

The FTC website has many resources to help you understand your responsibilities. [3] These include a FAQ section and a template program for compliance. Data security is addressed specifically in “Is Your Business Keeping Data Secure?” Resources are also available from trade organizations like the American Medical Association. [4]

Under the Rules businesses that are “financial institutions” or “creditors,” and have “covered accounts” (more on what these are below) must have a written program that identifies and detects the warning signs-the “red flags”-of identity theft.

The program may vary from business to business, but all programs should have the following four basic elements:

  1. Reasonable policies and procedures to spot the red flags common in your business. The red flags will vary depending on the type of business. For example, if a business requires a photo ID to open an account, a fake-looking ID would be a red flag.
  2. A procedure to detect the red flags you have identified.
  3. The actions to take when red flags are identified.
  4. A plan to re-evaluate and evolve the program as new risks emerge.

It is not enough to just have a written program document. The law contains training and monitoring requirements as well.

Do the Rules Apply to My Business?
Two categories of businesses are covered by the Rules: financial institutions and creditors. Determining if your business is a “financial institution” is fairly easy: The term “financial institution” means a State or National bank, a State or Federal savings and loan association, a mutual savings bank, a State or Federal credit union, or any other person that, directly or indirectly, holds a transaction account… belonging to a consumer.

18 U.S.C. § 1681a(t). [5]

Most of the time, whether or not a business is a financial institution will be fairly obvious. Furthermore, this definition comes up in other contexts, such as the coverage of FDIC deposit insurance, so businesses tend to know if they are financial institutions.

Determining whether or not you are a “creditor” is a more difficult task. This issue is discussed in depth below.

If you have determined that your business is a financial institution or a creditor, the rules will still only apply to you if you have any “covered accounts.” [6] The first kind of covered account is a personal, family, or household account set up to permit multiple payments or transactions. These include by way of example credit card accounts, mortgage loans, cell phone accounts, checking or savings accounts. The second kind of covered account is any account (personal or business) that presents a “reasonable foreseeable risk” that identity theft would be a problem.

The FTC lists small business accounts, sole proprietor accounts and single transaction consumer accounts as examples of at-risk accounts. Other at-risk accounts could be accounts easily accessed by phone or internet. Presumably if an insurance agency has an account for a medium sized business, the risk of identity theft is not very high. Run-of-the-mill identity thieves do not typically target business identities. However, if those business accounts contain personal information of individuals, they might be at-risk.

If your business does not have any covered accounts, it does not need a Red Flags Rules program.

Is My Business a “Creditor”?
Whether or not your business is a “creditor” can be trickier, because it has less to do with what kind of company you are and more to do with your particular circumstances. A “creditor” is defined generally as any person or company:

…who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit. [15 U.S.C. § 1691a(e).]

as well as the specific definition set forth above in this article.

“Credit” here is used in the usual sense: the right to defer debt payments, or the right to incur debt and pay later. Credit card companies are obviously creditors, since they give the consumer the right to purchase now (incur a debt) and pay later. A retailer who permits customers to pay on an installment plan is also a creditor. The revisions to the Red Flags Rules have clarified, however, that just because your company provides a service first, and then accepts payment later, this is not enough to make you a “creditor.”

The FTC is revising its materials to narrow the scope of those creditors subject to the Red Flag Rules, after passage of the Red Flag Program Clarification Act of 2010. The FTC website is a valuable tool for further guidance on whether your business needs to comply.

Regardless of the application of the Red Flag Rules to your business, if your company regularly extends credit to customers, it would add value to your business to develop a Red Flags program.

Installment Plans and “Arrangers” of Credit

What about customers paying bills on the installment plan? In the context of the Equal Credit Opportunity Act and the Truth in Lending Act, which have definitions of “credit” similar to that in the Red Flags Rules, credit transactions can exist if there is a right to defer payment of a debt. It usually does not matter whether the credit is for personal or commercial purposes, or whether the transaction is subject to a finance charge. Therefore, if your business allows payments in installments you may be a “creditor.”

The Rules also classify as “creditors” businesses that arrange for credit or that make credit decisions. Therefore, finance companies, broker-dealers, mortgage brokers, automobile dealers and retailers that offer financing (or help consumers get financing from other sources) all may be considered creditors.

Bottom Line
All businesses need to figure out if they are either financial institutions or creditors. If you determine that you are, the next step is to figure out if your business has any “covered accounts.” If you do, then you need a Red Flags Rules program in place.

[1] Red Flag Program Clarification Act of 2010.
[2] The Red Flags Rules are found at 16 C.F.R. § 681. The FCRA includes the Fair and Accurate Credit Transactions Act (“FACTA”), and was enacted to protect consumers and business with regard to credit cards, credit ratings, and other credit-related activities.
[3] FTC website
[4] American Medical Association website, AMA – Red Flags Rules
[5] A “transaction account” is a bank-like account out of which a customer can make withdrawals or payments. See 12 U.S.C. § 461(b)(1)(C).
[6] “Covered accounts” are defined in 16 C.F.R. § 681.2(b)(3).

To subscribe to email alerts from Axley Law Firm, click here.