Federal Trade Commission
Protecting America's Consumers
Articles for Business
The Red Flags Rule: Compliance Tips for Companies Offering Services In and Around the Home
by Steven Toporoff
As many as nine million Americans have their identities stolen each year. The economic, psychological, and emotional harm to victims can be devastating. The cost to businesses — left with unpaid bills racked up by scam artists — can be staggering too.
The Red Flags Rule, a law the FTC will begin to enforce on August 1, 2009, requires certain businesses that bill consumers after providing services – including lawn care companies, house cleaning businesses, and others that offer services around the home – to develop a written program to spot the warning signs – or “red flags” – of identity theft. Even though the risk for identity theft in your line of business may be low, the Red Flags Rule may still apply.
If you are covered by the Rule, have you developed your Identity Theft Prevention Program to detect, prevent, and minimize the damage that could result from identity theft? The FTC has released a fill-in-the-blank form specifically designed to help businesses at low risk for identity theft. The online form, available at ftc.gov/redflagsrule, offers step-by-step instructions for creating your own written Identity Theft Prevention Program.
Who Must Comply
Identity thieves have been known to rent or occupy a home using a stolen identity and then charge goods and services in the victim’s name. To help prevent this type of crime, businesses must review their billing and payment procedures to determine if they’re covered by the Red Flags Rule. Whether the law applies to you isn’t based on the kind of business you’re in, but rather on whether your activities fall within the law’s definition of two key terms: “creditor” and “covered account.”
Companies that provide services in and around the home may be covered by the Red Flags Rule if they are “creditors.” Although you may not think of your business as a “creditor” in the traditional sense of a bank or mortgage company, the law defines “creditor” to include any company that regularly defers payment for goods or services (or arranges for the extension of credit) and then bills customers later. Simply accepting credit cards as a form of payment does not make you a creditor under the Rule.
The second key term – “covered account” – is defined as either: (1) a consumer account that allows multiple payments or transactions, or (2) any other account with a reasonably foreseeable risk of identity theft. You will have a “consumer account” if your relationship with customers involves multiple payments or transactions – for example, a contract to provide lawn care throughout the spring and summer. Those are “consumer accounts” because they are for a personal, family, or household purpose. In contrast, if you have business-to-business accounts – like a company that provides janitorial services for office buildings – you would not qualify as having a “covered account” unless you determine that the account poses a reasonably foreseeable risk of identity theft.
If you are a creditor because you bill customers after providing services, but you do not have any covered accounts, you do not need a program. But if you are a creditor with covered accounts, you must develop a written Identity Theft Prevention Program to identify and address the red flags that could indicate identity theft.
Spotting Red Flags
The Red Flags Rule gives you the flexibility to implement a program that bests suits the operation of your business, as long as it meets the Rule’s requirements. Your business may already have a fraud prevention or security program in place that you can use as a starting point.
If you’re covered by the Rule, your program must:
- Identify the kinds of red flags that are relevant to your business;
- Explain your process for detecting them;
- Describe how you’ll respond to red flags to prevent and mitigate identity theft; and
- Spell out how you’ll keep your program current.
What red flags signal identity theft? There’s no standard checklist. Supplement A to the Red Flags Rule – available at ftc.gov/redflagsrule – sets out some examples. If identity theft isn’t a big risk in your business, complying with the Rule should be simple and straightforward, with only a few red flags. This may be particularly true for companies that know their clients well because they regularly provide services at the customers’ homes. In that case, your program might focus on how you’ll respond if you’re notified – say, by a consumer or a law enforcement officer – that a person’s identity was misused at your business. Cooperation is key. Heed warnings from others that identity theft may be ongoing.
Setting Up Your Identity Theft Prevention Program
Once you’ve identified the red flags that are relevant to your business, your program should include the procedures you’ve put in place to detect them in your day-to-day operations. Your program also should describe how you plan to prevent and mitigate identity theft. How will you respond when you spot the red flags of identity theft? For example, if you’re notified that an identity thief has used another person’s information, how will you ensure that you don’t charge the debt to the victim? Your program also must consider how you’ll keep it current and address new risks and trends. The FTC’s fill-in-the-blank form for businesses at low risk for identity theft takes you through each of these steps.
No matter how good your program looks on paper, the true test is how it works. According to the Red Flags Rule, your program must be approved by your Board of Directors or, if your company doesn’t have a Board, by a senior employee. This is true even for a low-risk business. The Board or senior employee may oversee the administration of the program, including approving any important changes, or may designate a senior employee to take on these duties. Your program should include information about training your staff and provide a way for you to monitor the work of any service providers – for example, those who manage your business’ collections operations. The key is to make sure the appropriate members of your staff are familiar with the Rule and your new compliance procedures.
What’s at Stake
Although there are no criminal penalties for failing to comply with the Rule, violators may be subject to financial penalties. But even more important, compliance with the Red Flags Rule assures your customers that you’re doing your part to fight identity theft.
Looking for more information about the Red Flags Rule? The FTC has published Fighting Fraud with the Red Flags Rule: A How-To Guide for Business, a plain-language handbook on developing an Identity Theft Prevention Program. For a free copy of the Guide and more information about your compliance responsibilties, visit ftc.gov/redflagsrule. In addition, the FTC has released a fill-in-the-blank form for businesses and organizations at low risk for identity theft. The online form offers step-by-step instructions for creating your own written Identity Theft Prevention Program. You can fill it out online and print it. The do-it-yourself form is available at ftc.gov/redflagsrule.
Questions about the Rule? Email RedFlags@ftc.gov.
Steven Toporoff is an attorney with the FTC’s Division of Privacy & Identity Protection.