FTC Red Flag Rules and Small Business

The Federal Trade Commission (FTC) has come up with a tool to make Red Flags Rules more easily understood and small business compliance easier to implement.
Initially created in 2003, the FTC has repeatedly delayed enforcement of the rules for recognizing and responding to identity theft’s warning signs, largely because of confused interpretation of the term “creditor”. In response, the FTC has developed a simple six-page, four-step outline for small and low-risk businesses along with guidelines for determining whether a business falls into this category.
How can you tell if your business is at low risk for identity theft?
  • Do you know many of your customers by sight?
  • Do you provide services in your customers’ homes?
  • Is your line of business frequently linked to identity theft?
  • Has your business ever been linked to an identity theft incident?


If you answered yes to the first two questions and no to the last two questions, chances are you have a low-risk business, and can easily meet Red Flag Rules requirements by using the simple form created by the FTC.

The Identity Theft Prevention Program designed by the FTC, available at this link: http://www.ftc.gov/bcp/edu/microsites/redflagsrule/get-started.shtm guides business owners, board members or senior managers through the process in four easy steps:

  1. Identifying relevant red flags
  2. Detecting red flags
  3. Responding to red flags
  4. Administering your program, including designating the employee responsible for implementation; training methods; identifying service providers that might detect ID theft; and deciding how to update your program and keep it current.
The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program to detect the warning signs – or “red flags” – of identity theft in their day-to-day operations. By focusing on red flags now, you’ll be better able to spot an imposter using someone else’s identity to get products or services from you. As a practical matter, the Rule applies to you if you provide products or services and bill customers later. To find out if the Red Flags Rule applies to your business, read Fighting Fraud with the Red Flags Rule: A How-To Guide for Business, a booklet published by the Federal Trade Commission (FTC).The FTC, the federal agency that enforces a number of consumer protection laws, has designed this compliance template to help businesses and organizations at low risk for identity theft design their own Identity Theft Prevention Program. It has two parts: Part A to help you determine whether your business or organization is at low risk, and Part B to help you design your written Identity Theft Prevention Program if your business is in the low risk category.PART A: Is your business or organization at low risk for identity theft?How can you tell if your business is at low risk for identity theft? Conduct an assessment. Although you have to consider the unique characteristics of your business, here are some factors to help you decide your risk level.Do you know your clients personally?• Perhaps you’re a doctor or a lawyer on Main Street and are familiar with everyone who walks into your office. It’s unlikely that an identity thief can defraud you by impersonating someone you already know. That would place your business at low risk for identity theft.Do you usually provide your services at your customers’ homes?• To avoid getting caught, identity thieves tend to move around a lot. They generally don’t want people to know where they live. If you regularly provide services at your customers’ homes, your business may be at low risk for identity theft.Have you ever experienced an incident of identity theft?• You’ve been in business for some time now, and no one has complained that someone stole his identity and used it to get products or services at your business. That might suggest your business is at low risk for identity theft.Complying with the Red Flags RuleAre you in a business where identity theft is uncommon? • If there are no reports in the news and no talk among people in your line of work about identity theft, your industry may not now be the target of identity thieves, and your organization may be at low risk for identity theft.I’ve conducted an assessment ofHere are the reasons we are at low risk for identity theft:This space holds up to 1550 characters. Use an additional sheet if necessary.PART B: Designing an Identity Theft Prevention Program for Businesses orOrganizations at Low RiskDesigning a program involves four basic steps:STEP 1: Identifying relevant red flagsSTEP 2: Detecting red flagsSTEP 3: Responding to red flagsSTEP 4: Administering your Programname of your business or organizationMy Identity Theft Prevention ProgramSTEP 1: Identifying relevant red flagsThe first step is to identify the relevant red flags you might come across that signal that people trying to get products or services from you aren’t who they claim to be. Read the FTC’s free booklet Fighting Fraud with the Red Flags Rule: A How-To Guide for Business (pages 19-21) for examples. For instance, if you check photo IDs, a classic red flag of identity theft is an inconsistency between the person’s appearance and the information on the photo ID. If you know all your customers personally, it’s probably not necessary to ask for a photo ID, and this red flag wouldn’t be appropriate. Sometimes, the only red flag may be a notice from another source that an identity theft has occurred. Since that red flag applies to everyone, it’s included here.Here are the red flags we have identified:Notice from a customer, a victim of identity theft, a law enforcement agency, or someone else that an account has 1. been opened or used fraudulently.2.3.4.Each space holds up to 210 characters. Use an additional sheet if necessary.STEP 2: Detecting red flagsThe second step is to explain how your business or organization will detect the red flags you’ve identified. For example, perhaps in Step 1 you identified false IDs as a red flag. To detect a false ID, you might consider training your staff to look carefully at the ID to see if the person’s appearance is consistent. What if somebody notifies you that an account has been opened or used fraudulently? To make sure those notices don’t fall through the cracks, you may decide to require employees to log that kind of notice in a central place or to tell a staff member responsible for responding to red flags.Here’s how we’ll detect the red flags we have identified: space holds up to 210 characters. Use an additional sheet if necessary.My Identity Theft Prevention ProgramSTEP 3: Responding to red flagsThe third step is to decide how you’ll respond to any red flags that materialize. For example, say you’ve identified the risk of false IDs as a warning sign of identity theft, and you’ve noted that you will train your staff to look for inconsistencies in identification. Your employee has checked the photo ID and detected an inconsistency. What’s the next step? Perhaps it’s asking for another form of identification – or maybe not providing any products or services until the inconsistency has been resolved. Or imagine you’re trying to collect on an unpaid bill, and the person you contact tells you his identity was stolen and he didn’t run up that bill. Although it will depend on the circumstances, consider how you might respond. For example, you could ask for proof that an identity theft claim has been filed.Here’s how we’ll respond to the red flags we have identified: space holds up to 210 characters. Use an additional sheet if necessary.STEP 4: Administering your ProgramThe last step is documenting how you’ll administer your Program. Here’s what’s involved:Get the approval of your Board of Directors, a committee of your Board, or a senior manager. •Our Program has been approved by:Designate a senior employee to administer your Program. •The person who will administer our Program is:namenameMy Identity Theft Prevention ProgramDescribe how you’ll train your staff. • List the categories of employees who will be trained to detect red flags – for example, your reception staff or the people who handle your accounts receivable – and how they’ll get that training – say, during an orientation for new employees or an annual update.Here are the categories of employees we’ll train and how we’ll provide training:Category of employeeHow we provide trainingUse an additional sheet if necessary.Describe how you’ll supervise your service providers. • Do you use service providers who might detect any of the red flags you’ve identified? For example, do you hire a company to handle your invoicing or use a collection agency to collect overdue bills? Talk to them to see that they’re following your Program or have their own that complies with the Red Flags Rule.We don’t use service providers in connection with accounts covered by the Red Flags Rule.We use service providers in connection with accounts covered by the Red Flags Rule.Here are the service providers we’ll contact about complying with the Red Flags Rule: space holds up to 210 characters. Use an additional sheet if necessary.My Identity Theft Prevention ProgramDescribe how you’ll update your Program. • Identity theft risks can change fast, so it’s important to reassess your Program periodically. If your business experiences identity theft, if any factors change that contributed to your original assessment of low risk, or if you change your business model with respect to your accounts or your corporate structure, you will need to re-evaluate and modify your Program.Here’s how we’ll keep our Program current: space holds up to 210 characters. Use an additional sheet if necessary.Questions about complying with the Red Flags Rule?Visit ftc.gov/redflagsrule or email RedFlags@ftc.gov
What is the FTC? Federal Trade Commission
What is FACTA? FACTA stands for the Fair and Accurate Credit Transaction Act of 2003.
What is the Identity Theft Red Flags Rule? This rule, established in January of 2008 with compliance scheduled for November of 2008, requires creditors and financial institutions to develop and implement written identity theft prevention programs. The programs “must provide for the identification, detection and response to patterns, practices or specific activities” that could indicate identity theft (known as “red flags”).
Creditor is defined as any entity that regularly extends, renews or continues credit. Any person that provides a product or service for which the consumer pays after delivery is a creditor under the Act.
What is a Red Flag? A red flag is an indicator of the possible existence of identity theft. An example might be a consumer applying for credit to buy furniture and providing the financing office with an invalid social security number, or a social security number that does not match their name. In the case of an existing account, a red flag might be an unusual pattern of usage, such as a credit card being used to buy a large amount of jewelry or electronic equipment. (For 26 examples of red flag rules, go here.)
Who regulates the Red Flag Rules and what are the penalties for non-compliance?
The FACTA Red Flag requirements are part of the Fair Credit Reporting Act and are enforced by the FTC.
More than 2,000,000 entities are required to comply with FACTA section 114 commonly referred to as the Red Flag Rules no later than 11/1/2008 5/1/09 8/1/2009 including all,
Banks, Savings & Loans and Credit Unions
Mortgage Lenders and Brokers
Consumer and Student Loan Lenders
Auto and Motorcycle Dealers
Utility Companies, Cell Phone Providers and Other Creditors
By August 1, 2009, every covered entity must:

1) Perform a risk assessment, identifying all covered accounts

2) Identify all relevant red flags and implement appropriate detection and response procedures

3) Develop, gain approval for and deploy your written identity theft prevention and training program
4) Train appropriate staff on your Red Flag detection and response procedures
5) Thereafter, review and update your compliance program at least annually

Leave a Reply