Identity theft is on the rise. Impacting more than 10 million consumers each year, it also costs businesses an estimated $221 billion annually. To help combat this threat, the Federal Trade Commission (FTC) has just implemented new regulations designed to help prevent identity theft, known as The Red Flags Rule .
If you are a small business that provides products and services to your customers and bills them later, there's a good chance you need to comply with these new requirements.
Read on to determine if the Rule applies to you and how to comply:
The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program to detect the warning signs, or "red flags," of identity theft in their day-to-day operations, such as an impostor trying to defraud you while using someone else's identity. The rule went into effect on June 1, 2012.
The rule applies primarily to organizations you might expect to be typical targets for identity theft, like "financial institutions" (banks, credit unions, etc.) and also to "creditors." But it applies to a much broader base of businesses, too. The key term here is "creditor." The rule's definition of "creditor" is very broad and includes businesses or organizations that regularly provide goods or services first and allow customers to pay later.
For example, law firms and accounting firms that receive payment after a service is completed are considered creditors. Likewise, if your business extends credit, makes credit decisions, or processes credit applications, you are also covered by the rule.
NOTE: Simply accepting credit cards as a form of payment does not make you a "creditor" under the Red Flags Rule. But if a company offers its own credit card, arranges credit for its customers, or extends credit by selling customers goods or services now and billing them later, it is a "creditor" under the law.
NEXT: If you think your business falls into any of these buckets, you'll need to determine whether the accounts you maintain fall under the FTC's definition of being at risk for identity theft. These are called "covered accounts" and include:
If you have "covered accounts," you'll have to develop and implement a written program to detect and respond to the red flags of identity theft and update it periodically.
However, it is the law; if you think you fall into any of the groups covered by the rule, then you'll need to develop a written Identity Theft Prevention Program.
A good starting point is this plain language guide for businesses: Fighting Fraud with the Red Flags Rule: A How-To Guide for Business . This FTC Red Flags Rule FAQ can also help.
The Good News: The FTC has also created a do-it-yourself template to help low-risk businesses create a plan. There are also many commercially available services and toolkits that can help businesses manage compliance.
Essentially, your program should enable your business to:
Failure by anyone in your business to recognize and report identity theft red flags can be costly, with both FTC fines and potential liability litigation from impacted consumers. If you think the Red Flags Rule applies to your business, take some time to read the business guides from the FTC, and if necessary, consult your attorney.
This story was featured in the June 2012 newsletter