Small Business: The Red Flags Rule

September 28, 2009

By Philip I. Frankel, Small-Biz Focus, September/October 2009

This article first appeared in the September/October 2009 issue of Small-Biz Focus produced by Support Services Alliance, Inc. (SSA).

The Federal Trade Commission (FTC) began enforcing the Red Flags Rule on August 1, 2009. The Rule requires many businesses and organizations to develop and implement a written Identity Theft Prevention Program.

While the Red Flags Rule applies only to "financial institutions" and "creditors" with "covered accounts," the Rule's broad definition of "creditor" requires many businesses who would not typically consider themselves to be "creditors" to develop a compliant Program

"Creditor" is currently defined to include any business that regularly defers payment for goods or services or that provides goods or services and bills the customer later. Examples include automobile dealers, mortgage brokers, and even professionals like physicians. Simply accepting credit cards as payment does not make your business a "creditor." However, if you regularly defer payment through payment plans, you are considered a "creditor," even if there is no service charge or interest.

If your business qualifies as a "creditor," the next step is determining if you maintain "covered accounts." A "covered account" is defined as (1) a consumer account that allows multiple payments or transactions, or (2) any other account with a reasonably foreseeable risk of identity theft. Examples include credit card accounts, car loans, mortgage loans, cell phone accounts, and checking or savings accounts. These accounts must only involve payments or transactions for the customer's personal, family, or household purposes. Business accounts are exempt.

The Rule does not specify the types of identifiable information (e.g. social security number, name) you must collect to be subject to the Rule, but focuses solely on classification using these definitions. Thus, even if it may not make practical sense for you to comply with the Rule, if you qualify as a "creditor" with "covered accounts" you must comply or risk being subject to civil monetary penalties.

Developing Your Program

Most small businesses will qualify as low-risk for identity theft, depending upon the information they receive from consumers, and how they retain it. The FTC has created a Compliance Template to help low-risk entities develop their own Program. Businesses are considered to be low-risk if they know their clients personally, normally provide services at their customers' homes, have never experienced an incident of identity theft, or identity theft is rare in their line of business.

Designing your Program requires four steps. First, identify Red Flags for identity theft that may be relevant to your business, and establish policies and procedures to detect these Red Flags in your daily operations. Next, describe how you will respond after detection. Finally, describe how you will administer your program. Once the Program is complete, it must be approved by your Board of Directors, or a senior employee.

Compliance does not require filing with the FTC. Once the Board approves your plan, simply maintain the Program with your business records and implement the plan.

The FTC's Compliance Template is available at After visiting this homepage, click on the "Create Your Program" link, and the website will guide you step-by-step through the Program.