6. Spotting Identity Theft

U.S. Legal Requirements

The Fair and Accurate Transactions Act ("FACTA") requires "financial institutions" and "creditors" that maintain “covered accounts” for their customers to create a written program to detect, prevent, and mitigate identity theft.

The Federal Trade Commission has published a legal rule, called the Red Flags Rule, to provide small businesses with guidance on how to comply with FACTA. In May 2013, the Commission released a new guide entitled Fighting Identity Theft with the Red Flags Rule: A How-To Guide for Business(the “Guide”) to help businesses and organizations determine whether they are subject to the Red Flags Rule and how to meet the Rule’s requirements. The FTC’s Guide includes information regarding what types of entities must comply with the Red Flags Rule, a set of FAQs, and a four-step process to achieve compliance.

Although you may not think that your business is either a "financial institution" or a "creditor," the FTC considers certain businesses that allow customers to defer payment when they receive goods or services to be “creditors”. For example, businesses that regularly obtain or use consumer reports in connection with credit transactions; or furnish information to consumer reporting agencies in connection with such transactions; or advance funds to or on behalf of a person under certain circumstances, are considered “creditors” under the Rule. If your business could be considered to be a “creditor”, you should check to see if any of your customer accounts may be “covered accounts” under the Rule.

Under the Rule, businesses with “covered accounts” must put in place a Red Flag program that:

  • Includes reasonable policies and procedures to identify the “red flags” of identity theft in the day-to-day operations of the business.
  • Is designed to detect the red flags of identity theft known to the business.
  • Sets out the actions the business will take upon detecting red flags.
  • Is re-evaluated periodically.

If you think your business may be covered by the Red Flags Rule, you may wish to consult an attorney to determine whether you are covered, whether you are required to have a written policy (a "Red Flags Policy"), and if necessary, whether your Red Flags Policy complies with the Red Flags Rule.


Only 28% of small businesses provide training to employees about Internet safety and security.

Source: 2012 National Small Business Study, National Cyber Security Alliance, Symantec, & JZ Analytics.