The Federal Trade Commission (FTC) "Red Flags Rules" require creditors to develop and implement identity theft prevention programs. These programs must be designed to identify, detect and respond to suspicious patterns, practices and activities that could indicate identity theft. The deadline for compliance with the Red Flags Rules, which includes board approval of the policies and training of all employees, is May 1, 2009. Penalties for violating the Red Flags Rules are substantial, as outlined below.

Businesses subject to the Red Flags Rules must establish a written policy that identifies warning signs of identity theft ("red flags"). For example, red flags may include unusual account activity, fraud alerts on a consumer report, or an attempt to use suspicious documents when applying for an account. The policy must establish methods of detecting red flags and delineate appropriate responses for the prevention and mitigation of identity theft. The Red Flags Rules further provide that the program must be managed by the Board of Directors or senior employees, include staff training, and include oversight of any service providers.

To whom do the FTC's Red Flags Rules apply?

The Red Flags Rules apply to financial institutions and certain creditors. The FTC defines "creditor" broadly. Therefore, whether or not you consider your business to be a creditor under the common meaning of the term, it is crucial to assess whether your business fits the FTC definition.

The Red Flags Rules apply to companies that regularly extend, renew or continue credit (for example, by accepting deferred payments or installment payments) and either:

  • offer or maintain accounts that permit multiple payments for primarily individual purposes, not business-to-business purposes; or
  • offer or maintain business-to-business accounts, if there is a reasonably foreseeable risk of financial loss, operational dysfunction, non-compliance with legal obligations, reputational damage, or litigation (to either the account holder or the creditor itself) stemming from identity theft. This is intended to cover sole proprietorship or small business accounts, which are more susceptible to identity theft than larger businesses.

The Red Flags Rules may apply to a wide range of companies, including:

  • Automobile dealers
  • Service companies that permit customers to defer payments
  • Telecommunications providers
  • Utility companies
  • Retailers that extend credit
  • Mortgage brokers
  • Healthcare providers
  • Colleges and universities
  • Many other businesses that permit their customers to defer payments

Penalties for violating the Red Flags Rules:

  • The FTC may seek up to $3,500 per violation, for certain violations.
  • States may enforce the action on behalf of their citizens either through direct damages or up to $1,000 per independent violation, plus recovering attorney's fees from the violator.
  • Civil suits by affected consumers, in which the consumers may seek actual damages, plus recovering attorney's fees from the violator, for negligent violations. Consumers may seek actual damages of up to $1,000, plus punitive damages and attorney's fees from the violator, for willful noncompliance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.