2017 Hurricane Recovery: Get information about disaster assistance, or find out how you can help.



Do you Extend Credit or Bill Your Customers Later? What You Need to Know About the FTC’s Red Flags Rule

Do you Extend Credit or Bill Your Customers Later? What You Need to Know About the FTC’s Red Flags Rule

By Caron_Beesley, Contributor
Published: June 6, 2012

Identity theft is on the rise. Impacting more than 10 million consumers each year, it also costs businesses an estimated $221 billion annually. To help combat this threat, the Federal Trade Commission (FTC) has just implemented new regulations designed to help prevent identity theft, known as The Red Flags Rule.

If you are a small business that provides products and services to your customers and bills them later, there’s a good chance you need to comply with these new requirements.

Read on to determine if the Rule applies to you and how to comply:

What is the Red Flags Rule?

The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program to detect the warning signs, or "red flags," of identity theft in their day-to-day operations, such as an impostor trying to defraud you while using someone else’s identity. The rule went into effect on June 1, 2012.

Who Needs to Comply

The rule applies primarily to organizations you might expect to be typical targets for identity theft, like “financial institutions” (banks, credit unions, etc.) and also to “creditors.” But it applies to a much broader base of businesses, too.  The key term here is “creditor.” The rule’s definition of “creditor” is very broad and includes businesses or organizations that regularly provide goods or services first and allow customers to pay later.

For example, law firms and accounting firms that receive payment after a service is completed are considered creditors. Likewise, if your business extends credit, makes credit decisions, or processes credit applications, you are also covered by the rule.

NOTE: Simply accepting credit cards as a form of payment does not make you a “creditor” under the Red Flags Rule. But if a company offers its own credit card, arranges credit for its customers, or extends credit by selling customers goods or services now and billing them later, it is a “creditor” under the law.

NEXT: If you think your business falls into any of these buckets, you’ll need to determine whether the accounts you maintain fall under the FTC’s definition of being at-risk for identity theft. These are called “covered accounts” and include:

  1. Consumer accounts designed to permit multiple payments or transactions
  2. Any other account that presents a reasonably foreseeable risk from identity theft. Examples include small business accounts or single transaction consumer accounts that may be vulnerable to identity theft.

If you have “covered accounts,” you’ll have to develop and implement a written program to detect and respond to the red flags of identity theft and update it periodically. 

How to Comply with “The Red Flags Rule”

Many observers doubt that the FTC will focus enforcement efforts on small businesses. However, it is the law; if you think you fall into any of the groups covered by the rule, then you’ll need to develop a written Identity Theft Prevention Program.

A good starting point is this plain language guide for businesses: Fighting Fraud with the Red Flags Rule: A How-To Guide for Business (PDF). This FTC Red Flags Rule FAQ can also help.

The Good News:  The FTC has also created a do-it-yourself template to help low-risk businesses create a plan. There are also many commercially available services and toolkits that can help businesses manage compliance. 

Essentially, your program should enable your business to:

  • Identify relevant red flags – Identify the red flags of identity theft you’re likely to come across in your business.
  • Detect red flags – Set up procedures to detect those red flags in your day-to-day operations.
  • Prevent and mitigate identity theft – If you spot the red flags you’ve identified, respond appropriately to prevent and mitigate the harm done.
  • Update your program – Keep it current based on emerging risks.

Failure by anyone in your business to recognize and report identity theft red flags can be costly, with both FTC fines and potential liability litigation from impacted consumers. If you think the Red Flags Rule applies to your business, take some time to read the business guides from the FTC, and if necessary, consult your attorney.


About the Author:

Caron Beesley


Caron Beesley is a small business owner, a writer, and marketing communications consultant. Caron works with the SBA.gov team to promote essential government resources that help entrepreneurs and small business owners start-up, grow and succeed. Follow Caron on Twitter: @caronbeesley