Calling all creditors

Share This Page

Are you a creditor?  Are you covered by the Red Flags Rule, a regulation designed to help businesses spot the signs — or "red flags" — of identity theft?  Do you know how to tell?

While everyone should secure any personal information they maintain about their customers, the Red Flags Rule goes a step further by requiring businesses and organizations covered by the regulation to be on the look-out for suspicious signs of identity theft, like forged or altered IDs.  Earlier this year, the FTC amended the Red Flags Rule to implement changes brought about by the Red Flag Program Clarification Act of 2010.  In a nutshell, the Rule still applies to “financial institutions” and “creditors.”  But the Clarification Act limits the kinds of creditors covered by the Rule.

To help you determine if the Red Flags Rule applies to your company or organization — and if it does, what you need to do to comply — the FTC has updated its publication, Fighting Identity Theft with the Red Flags Rule:  A How-To Guide for Business. The Guide advises businesses to run through two sets of questions to determine if they are “creditors” covered by the Rule.

The first question.  Does your company or organization regularly:

  • defer payment for goods or services or bill customers?
  • grant or arrange credit?
  • participate in the decision to extend, renew, or set the terms of credit?

If you answer yes to any of those, move to: 

The second question.  Does your company or organization regularly and in the ordinary course of business:

  • get or use consumer reports in connection with a credit transaction?
  • give information to credit reporting companies in connection with a credit transaction?
  • advance funds to (or for) someone who must repay them, either with funds or pledged property (excluding incidental expenses in connection with the services you provide to them).

If you answer yes to any of those, you’re a “creditor” under the amended Rule.

Still not sure if your company or organization is covered?  The How-To Guide for Business answers questions we’ve heard about applying that two-part test.  And if you are a “creditor,” the Guide provides detailed information on how to comply with the Rule’s requirement to have a written identity theft program in place.

Why should the Red Flags Rule matter to your customers and your company?  The purpose of the Rule is to help curtail identity theft, which strikes about 9 million Americans (and a lot of businesses) each year.  By implementing a common-sense identity theft program, businesses and organizations covered by the Rule can look out for telltale signs of identity theft and take measures to prevent the crime.



It seems ludicrous to me that I am asked to post personal identification information online for the energy company who has supplied my gas and lights for years I cannot imagine under what theory I am "a risk" for identity theft with that entity? Providing my SSN online is the highest risk of identify theft!

Any personal information on any mobile device, tablet or computer with internet or data can be remotely accessed by provider technicians, cyber defense team, military, law enforcement, etc. and as well as visual access to what your doing on when entering passwords, and personal information. So using your social security number that's not hidden well entering it on websites should be a new federal regulation. As well as on Android devices that shows your password as you enter it in.

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.