Final Deadline to Implement Identity Theft Red Flags Rules for FTC-Regulated Entities is November 1, 2009

October 29, 2009 at 9:05 pm Leave a comment

The new deadline to implement the Federal Trade Commission (FTC) rules on Identity Theft Red Flags is November 1, 2009.  (To access the FTC’s FAQs on the Red Flags Rules, click here.  To access the text of the Red Flags Rule, click here.   And for the FTC’s “How To”  guide for businesses, click here). 

These rules have a surprisingly wide application to businesses, many of whom don’t think of themselves as “creditors.”  Under the rules, any “creditor” with “covered accounts” must develop and implement a Red Flags Program.  Since these terms are broadly defined, the FTC estimated that over 11 million entities subject to its jurisdiction would qualify as “creditors” under the rules. A s a result, you may very well be a creditor under the rules.


A “creditor” includes any entity that allows customers to defer payment for goods and services (including through the common practice of billing customers after goods or services are provided), even if no finance charges or installment payments are involved.  Such entities include, for example, health care providers, mortgage brokers, utility companies and many merchants who wouldn’t ordinarily think of themselves as “creditors.”

Covered Accounts

If you are a creditor under the Red Flags Rules, you must next determine if you have any “covered accounts.” “Covered accounts” are not limited to formal deposit or credit accounts.  Instead, any continuing relationship under which a customer can obtain goods or services that are primarily for personal, family or household purposes and that involves, or is designed to permit, multiple payments or transactions is a “covered account.”  In addition, a “covered account” is any account (including a business account) for which there is a reasonably foreseeable risk to you or your customers from identity theft.  To determine if there is a foreseeable risk from identity theft, consider the methods used to open the account, the methods used to access the account and your previous experience with identity theft.

The Red Flags Program

If you are a creditor who does not have any covered accounts, you do not need to develop a Red Flags Program.  However, the rules require that you periodically reevaluate whether you are offering or maintaining covered accounts.  If you ever determine that you offer or maintain covered accounts, then you will need to develop and implement a Red Flags Program.

If you are a creditor with covered accounts, you will need develop and implement a written Red Flags Program.  The program must be designed to identify, detect and respond to patterns, practices or specific activities that could indicate identity theft.  There is no one-size-fits-all program and each creditor needs to tailor its program to its own circumstances.  If you determine that you are a low-risk entity, then your program can be simple and streamlined.

If you have questions about the Red Flags Rules or would like a copy, please let us know.  You need to act now to determine if you are a creditor and to comply with the Red Flags Rules.


For further information regarding this e-alert, contact Mark Hargrave or Selena Nelson.  If you are a health care provider, contact Kirk Doan, Megan Snow or Patricia Zieg.

Entry filed under: Uncategorized.

President Announces Community Bank Program to Increase Credit Flow to Small Businesses FDIC Announces Final Rule for Prepaid Assessments: Exemption Applications Due by December 1st

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

Enter your email address to follow this blog and receive notifications of new posts by email.

Produced & Maintained By

Stinson Leonard Street Logo


A legal resource for Banking & Financial Services


%d bloggers like this: