What entities are subject to the Red Flag Rules?
The Red Flag Rules apply to financial institutions and creditors that create and maintain covered accounts (defined below). At first blush, an entity may think that it is not subject to the Red Flag Rules because it is not a credit card company or financial institution. However, although the Red Flag Rules certainly apply to financial institutions, they also apply to any “creditor.” The definition of “creditor” is broad. It includes any entity that regularly (1) extends or renews credit (or arranges for others to do so); and (2) provides goods and services to others and allows the consumer to defer payment. The ultimate consumer need not be an individual.
The FTC has provided a list of entities to which it believes the Red Flag Rules apply; however, the FTC cautions that its list is not exhaustive. Briefly, the FTC considers the following groups as prime candidates for Red Flag Rule compliance:
• Doctors, dentists, and other health care providers;
• Accountants and lawyers;
• Telecommunications companies;
• Debt collectors;
• Retailers; and
• Employee benefit plans sponsoring flexible spending account arrangements when the arrangement utilizes a debit card.
Entities falling into these categories will need to evaluate their obligation to comply with the Red Flag Rules. As described below, the determination will be based in part upon the risk of identity theft among the accounts the entity holds.
The formal obligation to comply with the Red Flag Rules apply to entities with covered accounts. Therefore, all entities should, as an initial matter examine their internal operations to make sure that they do not create or maintain covered accounts. The definition of a covered account, like the definition of creditor, is also broad. A covered account can be (1) consumer accounts designed to permit multiple payments or transactions; or (2) any other account that presents a reasonably foreseeable risk from identity theft. However, even businesses that have determined they do not have covered accounts still must conduct periodic risk assessments to ascertain whether any changes to that determination have occurred.
Summary of Guidelines for Compiance.