Red Flags Rules Delayed Until Dec. 31

Author: NFIB Small Business Legal Center Date: April 22, 2009

Require Businesses to Develop Identity Theft Prevention Plans

FACT Act and Red Flags Rules

The Fair and Accurate Credit Transactions Act was passed in December, 2003 and is designed to prevent identity theft by protecting consumer information. The Federal Trade Commission is charged with enforcing the act.  

Small businesses that provide credit to customers should be aware that new FACTA rules from the FTC scheduled to go into effect June 1 have been delayed. The rules are now scheduled to go into effect on Dec. 31, 2010. On that date, the FTC will begin enforcing its Red Flags Rules, which require creditors to have in place programs to recognize and prevent identity theft.

What small businesses will be affected?

Virtually every small business that extends credit to customers or uses credit reports to make credit decisions about their customers will be affected. However, if your business simply accepts credit cards, without extending your own form of credit to customers, the rules are unlikely to apply to you.

What are the requirements of the Red Flags rules?

The rules require creditors to implement a written Identity Theft Prevention Program designed to detect the warning signs—or red flags—of identity theft in their day-to-day operations, take steps to prevent the crime, and mitigate the damage it inflicts.

There are four main components of a complying plan:

  1. The plan must identify potential red flags your business is likely to come across. This includes receiving written notices from credit reporting agencies and suspicious account activity.
  2. The plan must establish procedures to detect the red flags you have identified in the first step.
  3. The third step is to act appropriately when a red flag is detected. This could mean notifying a customer, contacting law enforcement, closing an account, etc.
  4. The plan must be reviewed periodically to identify new potential sources of risk.

What are the penalties if I fail to comply?

Failing to comply with the new rules can lead to civil penalties under the Fair Credit Reporting Act. Currently, fines for single violations can be up to $3,500. However, repeat violators may face a suit from the FTC and significantly higher fines.

Where can I learn more?

For questions or comments regarding FACTA, please contact the FTC at 600 Pennsylvania Avenue, N.W., Washington D.C., 20580, (877) 382-4357 or online at

The FTC has published a helpful guide for businesses to learn more, including how to figure out if you’re covered and how to develop your plan.

This NFIB alert does not constitute legal advice, and you should consider consulting an attorney about any laws and regulations that are applicable in your state, locality or particular type of business.

blog comments powered by Disqus

Subscribe For Free News And Tips

Enter your email to get FREE small business insights. Learn more

Get to know NFIB

NFIB is America's leading small business association, promoting and protecting the right of our members to own, operate and grow their business

Find out more about
NFIB Membership

Or call us today