Q: I recently learned about the Federal Trade Commission's Red Flags Rule, requiring businesses to plan a response to identity theft and fraud. My business has an online store, so does this apply to me? What steps do I need to take to become compliant?
A: Whether you're subject to the Red Flags Rule depends largely on how you get paid. If your customers simply charge purchases to a bank credit card, you're probably exempt. If you offer your own credit card, or sell first and collect payment later, you probably need to comply.
The rule took effect at the end of last year. It requires financial institutions and certain "creditors" to implement a written program for detecting and dealing with warning signs, or "red flags," that can indicate someone is trying to commit identify theft. Examples include an alert from a consumer reporting agency, or the presentation of suspect identification documents.
If you're covered under the rule, your Red Flags Rule program must do four things:
- Identify red flags relevant to your business or industry.
- Spell out procedures for detecting those red flags.
- Detail how you will respond to a red flag. (Who will you notify, what will you tell them?)
- Provide for regular updates to your procedures and the education of your staff.
Physicians, attorneys, accountants and many other professionals and service providers are exempt from the rule under the Red Flag Program Clarification Act of 2010. Other businesses qualify as creditors if they maintain consumer accounts that permit multiple payments or transactions and offer the potential for identity theft, and they (a) obtain or use consumer credit reports in connection with credit transactions, (b) furnish information to consumer reporting agencies in connection with credit transactions, or (c) advance funds to or on behalf of someone else -- unless the funds relate to providing of a service.
The FTC has information about the Red Flags Rule on its website here. Although it was published prior to the Clarification Act, this FTC how-to guide also offers helpful compliance advice. Failure to comply could result in FTC penalties of up to $3,500 for each customer account you maintain.