The “Red Flags” Rule for Small Businesses: Are You in Compliance?

Written by esyra17star Published in


Nearly 10 million Americans are victims of identity theft every year, and the numbers are rising. Often, identity theft stems from the theft or misuse of data collected by businesses.

Because so many cases of identity theft can be traced back to businesses, the federal government has implemented regulations designed to not only hold organizations accountable for protecting customer data, but also detecting and preventing identity theft before it occurs. The so-called “Red Flags Rule,” which went into effect in 2007 as part of the Fair Credit Reporting Act, requires businesses to not only be aware of certain indicators of possible cases of identity theft, but to have a plan for taking action if those signs appear.

The Red Flag Rule in a Nutshell

The Red Flags Rule is administered and enforced by the Federal Trade Commission, the Securities Exchange Commission, and other federal agencies charged with regulating commerce in the U.S. The rule requires that businesses have a plan to combat identity theft, which is broken down into four parts:

1. The plan must identify the signs of suspicious activity — the red flags — within your business that will trigger further investigation. Not all businesses have the same red flags.

2. The plan must include procedures for detecting red flags; for example, employees must know what to look for when evaluating identification and the signs of a fake or forged document.

3. The plan must include what you will do when you detect red flags and,

4. The plan should include provisions for keeping it current.

Because all businesses are different, and face different levels of risk, every plan is different. In other words, the plan for a bank is going to be more comprehensive and include more red flags than the plan for a business that does not handle as much sensitive information.

However, regardless of the risk, all businesses must be prepared to respond to cases of identity theft and take corrective (and protective) action.

While the breakdown of plan requirements is fairly straightforward, determining who has to abide by the Red Flag Rule is somewhat less clear. In fact, not all businesses have to follow the rule, even if they collect personal information from their customers.

Who Must Comply With the Red Flags Rule

There are two categories of businesses that have to adhere to the Red Flag Rule: financial institutions and creditors, if they have what are deemed “covered accounts.” There are two types of covered accounts 1. Accounts that involve many transactions and payments, such as checking and savings accounts, credit accounts, and loans and 2. Accounts with a reasonable foreseeable risk of identity theft, such as small business or sole proprietorship accounts. Generally, any accounts that can be accessed online or via the telephone come with a reasonable foreseeable risk of identity theft, making them covered accounts.

While the financial institution designation obviously applies to businesses like banks or lending companies, the designation of creditor is a little less clear. Essentially, if a business defers or extends payment terms, grants or arranges credit, or helps decide whether credit should be granted AND either uses credit reports, makes reports to the credit bureaus, and/or advances funds in exchange for collateral, then that business is deemed a creditor.

What trips up many businesses though, are certain gray areas in the definition of a creditor. For example, if your business invoices customers for goods or services at the end of the month, you aren’t necessarily a creditor, because the billing terms are not based on creditworthiness, nor are you advancing funds. However, if Net 30 billing is based on a customer’s credit history and you report payments to a credit bureau, you are bound by the rule.

It’s important to note that the Red Flags Rule only applies if the activities that make a business a creditor occur regularly in the normal operation of the business. If you only pull credit reports occasionally, or only report seriously delinquent accounts, you are not a creditor under the definition of this rule.

Protecting Information

Regardless of whether or not your business is legally bound by the terms of the Red Flags Rule, it’s a smart practice for all businesses to comply with them and develop an identification and response plan. Developing strict security policies and procedures to protect personal information, and training all staff to recognize the signs of possible identity crimes are the first steps toward reducing the prevalence of identity theft and keeping everyone’s data safe. 


Get To Know Us

Keep in Touch

Friend us on Facebook  Follow us on Twitter  Subscribe to our feed 

Get the Newsletter