Does the Red Flags Rule Affect You?

The answer is "probably."

In November 2007, the Federal Trade Commission issued a set of regulations known as the "Red Flags Rule" requiring certain entities implement written identity theft prevention and detection programs. The Rule was supposed to go into effect in November 2008, but thanks to outcry from business trade groups like the American Medical Association and the American Institute of Certified Public Accountants, the effective date has been delayed several times. The Rule now goes into effect June 1, 2010.

The Red Flags Rule applies to "financial institutions" and "creditors" that have "covered accounts." You may think you are not required to conform to these rules because you are not a financial institution, but you may very well be a creditor.

Under the Red Flags Rule, a creditor is defined as any entity that regularly extends, renews or continues credit; any entity that arranges for the extension, renewal or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew or continue credit. In laymen's terms, this is any entity who has accounts receivable. As CPAs, we originally did not think the Rule applied to us until we realized that our accounts receivable fall into the above definition.

The Red Flags Rule requires a business create and implement a written Identity Theft Prevention Program. This program is to be designed to detect the warning signs or "red flags" of identity theft in a business' day-to-day operation, to take steps to prevent the theft if possible, and to mitigate the damages it inflicts.

There is no one-size-fits-all Identity Theft Prevention Program. Each business must develop a program that fits its particular situation, with consideration given to the following areas:

  1. Policies and procedures to identify the "red flags" of identity theft that may occur in your day-to-day business operations.
  2. How the "red flags" will be detected.
  3. Actions that will be taken when "red flags" are detected.
  4. How the program will be re-evaluated periodically to reflect new identity theft risks.

We are in the midst of developing our own Identity Theft Prevention Program (the implementation date for CPAs has been delayed beyond June 1st because of a lawsuit filed by our trade group). We recommend you consider the requirement for your company to have a Red Flags Program, if you haven't already. Your trade association may have more information available to you, and we also recommend you visit the FTC website.