By: Kelly Carson

Last month, the Federal Trade Commission (FTC) issued an updated “How-To” guide to help businesses and organizations determine whether they are subject to the agency’s Red Flags rule (Rule).  Under the Rule, certain entities are required to establish written programs that are aimed at detecting and preventing identity theft.

The FTC’s revised guide lays out which businesses the Rule covers — namely, “financial institutions” and some “creditors” — as well as the steps they must take to comply with the Rule’s requirements.  As covered in a previous post, the Rule was amended in November 2012 to narrow the definition of “creditor,” bringing it in line with the Red Flag Program Clarification Act of 2012.

The guide provides a two-part test to determine whether an entity is required to comply with the Rule.  First, the entity must determine if it is a “financial institution” or a “creditor” as defined by the Rule.  If so, the second step is to assess whether the entity has any “covered accounts” (again, as defined by the Rule).  In making this assessment, an entity is advised to “look at existing accounts and new ones,” and the guide lists the two categories of covered accounts for reference.  If an entity is either a financial institution or a creditor and has covered accounts, the entity is required to comply with the Rule.

Also included in the guide is a list of frequently asked questions regarding the Rule’s scope and application, such as:

  • In my legal practice, I often make copies and pay filing, court, or expert fees for my clients.  Am I “advancing funds”?
  • I am a professional who bills my clients for services at the end of the month.  Am I a creditor just because I allow clients to pay later?
  • What if I occasionally get credit reports in connection with credit transactions?
  • Our company is a “creditor” under the Rule and we have credit and non-credit accounts.  Do we have to determine if both types of accounts are “covered accounts”?
  • My business isn’t subject to much of a risk that a crook is going to misuse someone’s identity to steal from me, but it does have covered accounts.  How should I structure my program?

The guide concludes with a four-step process that covered entities are to follow when implementing a Red Flag program.  These steps include: (1) identifying relevant Red Flags; (2) detecting Red Flags; (3) preventing and mitigating identity theft; and (4) updating the program.