Know The Law – FTC Red Flags Rule – 10/2010

October 25, 2010

Published in the Union Leader

Q:  My business occasionally extends credit to customers who are unable to afford paying invoices on our regular Net 30 days terms?  Do we need to comply with the Federal Trade Commission’s Red Flags Rule? 

A:  The answer depends on whether or not your  company is a “creditor” or “financial institution” and manages a “covered account” as defined by the Federal Trade Commission (FTC).
The FTC’s regulations known as the “Red Flags Rule” requires a business or organization to implement a written identity theft prevention program designed to detect the warning signs, or “red flags,” of identity theft in its daily operations.  The Rule became effective on January 1, 2008, and the FTC has extended enforcement requiring your compliance with the Rule by December 31, 2010.
The main challenge a business will face with this Rule is figuring out if it is a “creditor” with a “covered account.”  A business is a “creditor” if it permits deferred payment of debt.  The FTC says, “any person that provides a product or service for which the consumer pays after delivery is a creditor.”  Creditors include entities that “defer payment for goods or services” or “businesses that provide services and bill later.” 
Generally, accepting credit cards as a form of payment does not in and of itself make an entity a creditor.  Creditors typically include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies.  Where non-profit and government entities defer payment for goods or services, they, too, are considered creditors.
Creditors must develop an identity theft program for any “covered account.”  A covered account is an account primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions; or any other account for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.  The ambiguity of this definition requires careful thinking to ensure compliance with the Rule.
At a minimum, the identity theft program must describe appropriate responses that would prevent and mitigate against identity theft.  The company’s Board of Directors or senior employees must approve and manage the program.  Finally, the program needs to include appropriate staff training and provide for oversight of any service providers.
Neil can be reached at   
Know the Law is a bi-weekly column sponsored by The McLane Law Firm.
We invite your questions of business law.  Questions and ideas for future columns should be addressed to:  Know the Law, The McLane Law Firm, P.O. Box 888, Manchester, NH 03101 or emailed to