035: FTC Red Flag Rules

Learning Objectives

Upon completion of this Case Study, participants should:

  • Understand Identity Theft and its consequences;
  • Describe to small and mid-sized businesses steps they need to take in order to protect against Identity Theft;
  • Explain the concepts of Advancing Funds and Covered Accounts as they relate to the Federal Trade Commission;
  • Understand why Identity Theft is a concern for businesses; and
  • Identify methods to prevent Identity Theft from ruining your business.

State of the Industry

Identity Theft has been an ongoing problem in the United States for some time, with new cases increasing every year. The Federal Trade Commission (FTC) estimates nine million Americans will have their identities stolen this year. This current problem creates major issues for small and mid-sized businesses and organizations, bringing unexpected costs, litigation and lawyer fees. In some cases, criminal charges follow.

People do not always realize the risk associated with a government investigation or the power the investigators hold. Government agencies will investigate wrongdoings, intentional or not. Business owners and leaders who do not view themselves as being “criminals” frequently find themselves being accused of white-collar crimes. This case study profiles FTC “Red Flags Rule” and offers suggestions on how to properly follow the law and stay out of trouble.

The FTC Red Flags Rulerequires businesses and organizations to implement a written identity theft prevention program. The agency designed this program:

  • To detect the “red flags” of identity theft in their day-to-day operations,
  • To take steps to prevent the crime, and
  • To mitigate damages.


According to the FTC, a Red Flags Rule program must include four basic elements that create a framework to deal with the threat of identity theft. A Red Flags Rule program must:

  1. include reasonable policies and procedures to identify the red flags of Identity Theft that may occur in your day-to-day operations.
  2. be designed to detect the red flags your business has identified.
  3. spell out appropriate actions your business will take when red flags are detected.
  4. detail procedures to keep your business current on new Identity Theft threats and trends.

Securing data that a business collects and maintains about customers can reduce Identity Theft. The Red Flags Rule seeks to prevent Identity Theft. It requires a business or organization to stay on the lookout for the signs that someone may be using someone else’s information. Typically, thieves steal identifies to obtain products or services illegally.


In accordance with FTC guidance, we recommend a two-pronged approach in the battle against Identity Theft:

  1. Implement data security practices that make it harder for unscrupulous people to access personal information they use to open or access accounts, and
  2. Create policies to monitor red flags that may suggest fraudulent transactions.

The FTC has been clear that the agency expects and organized and well-defined Identity Theft program. The agency would like to see a written program that is integral to daily operations of the business. The Rule should be appropriate to a business’ size and its potential risk to Identity Theft. Larger businesses and organizations will need a more comprehensive written program to address a high risk of Identity Theft.

The Red Flags Rule requires “financial institutions” and some “creditors” to conduct a periodic risk assessment to determine if they have “covered accounts.”

The FTC will determine “covered accounts” in accordance with relevant definitions. The FTC uses the federal statutory definition from the Equal Credit Opportunity Act (ECOA). In layman terms, the term “creditor” relates to deferring payment from a customer for goods or services over a set period of time.

The FTC has provided the below step-by-step guide to assess whether a business qualifies as a creditor under the Red Flags Rule. Leaders should ask the following questions:

Does my business or organization regularly:

  • defer payment for goods and services or bill customers?
  • grant or arrange credit?
  • participate in the decision to extend, renew, or set the terms of credit?

If you answer:

  • No to all, the Red Flags Rule does not apply.
  • Yes to one or more, ask:

Does my business or organization regularly in the ordinary course of business:

  • get or use consumer reports in connection with a credit transaction?
  • give information to credit reporting companies in connection with a credit transaction?
  • advance funds to, or for, someone who must repay them, either with funds or pledged property (excluding incidental expenses in connection with the services you provide to them)?

If you answer:

  • No to all, the Red Flags Rule does not apply.
  • Yes to one or more, you are a creditor covered by the Red Flags Rule.

If a business or organization acts as a “creditor” as defined by the FTC, the business must determine if it maintains any “covered accounts.”

To determine whether “covered accounts” apply, leaders must assess existing andnew accounts:

  1. A consumer account for customers of personal, family, or household purposes that involves or allows multiple payments or transactions.
  2. Any other account that a financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.”

If the analysis shows the business does not have any “covered accounts,” the business does not need a written Red Flags Rule program.

Take the quiz

Click the quiz below to get started


Fighting Identity Theft with the Red Flags Rule: A How-To Guide for Business | Federal Trade Commission (ftc.gov)