FAQs about the Red Flags Rule

Nine million Americans will have their identities stolen this year, according to the Federal Trade Commission (FTC). Identity thieves may steal money, rack up unpaid credit and damage credit scores. The Red Flags Rule aims to reduce the risk of identity theft.

Some commercial lenders mistakenly presume the rule doesn’t apply unless they make personal loans. But it actually does apply to many small business lenders — and their business borrowers. Let’s look at the answers to a few FAQs about the rule:

What is the Red Flags Rule? The FTC and federal banking agencies teamed up to develop and enforce the Red Flags Rule. It combats identity theft by requiring financial institutions and creditors to develop, implement and administer a written identity theft prevention program.

Who’s required to follow it? Financial institutions that directly or indirectly hold consumer accounts must comply with the Red Flags Rule. It also applies to creditors that defer payment for goods or services, as well as those that arrange, extend, renew or set credit terms. Creditors must follow the rule only if they regularly use consumer reports or file reports with credit agencies in the ordinary course of business.

The FTC lists small business and sole proprietor accounts as possessing a “reasonably foreseeable” risk of identity theft. If you request personal financial statements from business owners or run credit checks on people who guarantee your commercial loans, the rule probably applies to you.

It also applies to many borrowers — including auto dealers, utility and telecommunication providers, and some financial services firms — that hold covered transaction accounts.

What does compliance entail? Complying with the Red Flags Rule is a four-step process:

1. Identify relevant red flags. These are suspicious patterns or practices that forewarn of the possibility of identity theft, such as documents or signatures that appear to be forged, inconsistent addresses or Social Security numbers, and undeliverable mail.
2. Detect red flags. You must implement identity verification and authentication procedures to unearth any red flags. You might ask to see prospective borrowers’ government-issued IDs or perhaps run personal credit checks on them. Signatures, PINs and security questions can help confirm the identity of existing account holders.
3. Prevent and mitigate theft. Red flags require prompt, appropriate responses. These might include contacting the customer, changing passwords or notifying law enforcement agencies.
4. Update the program regularly. New red flags emerge and business models change. As part of your annual “spring cleaning,” evaluate whether you and your borrowers are doing all you can to protect personal information from identity theft.