Understanding the Red Flags Rule in 4 Questions

Q1:  What is the Red Flags Rule?
Rules implementing the identity theft provisions of the Fair and Accurate Credit Transactions Act of2003 by requiring financial institutions and creditors to evaluate potential identity theft red flags and establish a program to address them.

Q2:  Why should I care if my business is not a financial institution?
You are covered by the rules if your business extends credit in providing services to consumers or “any other account . . .where there is a reasonably foreseeable risk to customers . . . from identity theft.”  The FTC has indicated that this second category is broadly construed and includes “businesses or organizations that regularly provide goods or services first and allow customers to pay later.  Examples of groups that may fall within this definition are utilities, health care providers, lawyers, accountants, and other professionals,and telecommunications companies.”

This has been a source of controversy and even litigation as accountants and lawyers resist applicationof the rule.  In October, the House of Representatives passed H.R.3763 to exclude medical, accounting and legal firms with 20 or fewer employees and allow other small businesses to seek an exemption if certainconditions are met.

Q3:  When do the rules go into effect?
The rules were to be effective November 1, 2008 butthe FTC has pushed this date out on multiple occasions.  Due to the confusion asto who is covered by the rule, its enforcement has now been postponed until June1, 2010.

red flag 4

Q4:  Assuming they apply to my business, what do I need to do?

The obligations are summarized in the diagram above.  The FTC provides a template for businesses to identify potential red flags and a video explaining the rules and process involved.