Business Security Information

The Red Flags Rule is part of the Fair and Accurate Credit Transaction Act of 2003.  As discussed in my last article, “Complying with the Red Flags Rule”, businesses that are financial institutions or creditors must comply with the rule.  So, how do you know if this applies to you?  The definition of a financial institution is pretty straight forward and includes state or national banks, savings and loan associations, credit unions and any other institution that directly or indirectly holds a transaction account belonging to a consumer.  This transaction account is a deposit account or an account from which a consumer can make payments or transfers to third parties.  The definition of a creditor is a little more obscure.

What is a Creditor?

Most small and medium-sized businesses are not banks so that part of the rule would not apply. When we look at the term creditor under the rule, however, a lot of small and medium-sized businesses would be covered.  A creditor is one that regularly provides goods or services to their customers and allows the customer to pay for them later.  The Red Flags rule applies to those businesses that put off the customer having to make payment until the goods or services have been delivered or performed.  Also, a creditor is one that regularly arranges for the extension, renewal, or continuation of credit.  According to the FAQ’s (Frequent Asked Questions), just the fact of accepting checks, credit cards, debit cards or automatic account debits does not make you a creditor under the rule.  On the other hand, extending credit to a consumer or another business can qualify a business as a creditor under the rule.

Examples of qualifying businesses given in the FTC (Federal Trade Commission) guidance material   include utilities, most health care providers, lawyers, accountants, telecommunication companies, mortgage brokers, auto dealers and some retailers.  The way the rule is written it is hard, in some cases, to determine if you are required to comply with the Red Flags Rule.  In those obscure cases, I would recommended that you contact the FTC directly and ask.  Just make sure you get the answer in writing in case of problems later.

If you are considered a creditor under the rule, you must determine what, if any, covered accounts are maintained by your business.  The definition of covered account is so broad that I would say if you are a creditor, most likely you maintain covered accounts.  The rule defines a covered account as:

1. An account that is primarily for personal, family or household purposes that involves or is designed to permit multiple payments or transactions.
2. Any other account which there is a reasonable foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft.

The second part of the covered account definition is a catch-all and is why I say if you find that you fall under the definition of a creditor, you most likely maintain covered accounts.  Once you have determined that you are a financial institution or a creditor under the rule and that you maintain covered accounts,  you must then follow the Red Flags Rule.

Complying with the Red Flags Rule

The four basic elements of a Red Flags program are to:

1. Identify Red Flags that apply to your particular business.
2. Detect Red Flags.
3. Respond appropriately to any Red Flags that are detected so you can prevent and mitigate identity theft.
4. Ensure your Red Flags program is updated on a regular basis to reflect changes in risks to customers or to your business from identity theft.

To detect red flags that apply to your business, you will have to develop specific policies and procedures to help your business detect or spot any red flags you identified in the first element of the Red Flags program.  Responding appropriately requires your employees to follow the policies and procedures that you develop in element two.  Lastly, ensuring that the Red Flags program is updated on a regular basis will require your business to keep current on methods of identity theft and fraud.

Once the written program has been developed or modified, then, depending on the framework of your business, you will need to obtain the approval of the Board of Directors, upper level management or the business owner (this would apply to a lot of small businesses) for the the program you have developed.

Additional items that you would need to have or implement is training of staff specifically related to any policies and procedures you implement to identify the Red Flags.  If you have a third party handling some or all of your covered accounts, you will need to exercise effective oversight of these vendors and make sure they are also complying with the Red Flags rule.

Red Flags Rule Resources

• FTC Home for information on the Red Flags Rule
• Fighting Fraud with the Red Flags Rule: A How to Guide for Business – Is a 17 page document covering the basics of the Red Flags rule as well as a list of red flags that may identify fraud.
• Do it yourself template for developing a Red Flags rule prevention program
• Red Flags Rule FAQ’s
• Still have questions – Email the FTC
• AMA (American Medical Association) resource on the Red Flags rule
• AHA (American Hospital Association) resource on the Red Flags rule

These along with the first article on Red Flags rule should get you started in the right direction.  If you know of  any other resources for specific businesses, please leave a comment and share the resource with other readers.

Related posts:

1. Red Flags Rule: More Time To Comply
2. Trying to Comply With the Red Flags Rule?
3. Smishing