FTC ‘Red Flags’ rule enforcement begins this week

UPDATE: FTC grants 3-month extension on Red Flags rule enforcement
The Federal Trade Commission (FTC) announced April 30 that it would push back its enforcement deadline for the identity-theft-related Red Flags rule until Aug. 1. This information became available after NEWStat’s press time.
Read more on the extension here.


On May 1, the Federal Trade Commission (FTC) will begin enforcement of the new “Red Flags” Rule. The rule applies to certain types of businesses – including many veterinary practices - and is designed to help detect and stop identity theft.

Does your practice need to comply with the rule? The key to the answer lies in two points: If you are a “creditor,” and you have “covered accounts” as defined by the rule, then your practice must comply.

According to the FTC rule, the term “creditor” includes “businesses or organizations that regularly defer payment for goods or services or provide goods or services and bill customers later.” Accepting credit cards as payment does not necessarily qualify you as a creditor, but if you allow clients to pay off their bills over time, or if you bill clients after services are performed, then you are a creditor.

Covered accounts refers to “consumer accounts that allow multiple payments or transactions, or any other account with a reasonably foreseeable risk of identity theft,” according to the commission

If your practice meets both of these criteria, you must come up with a written “Identity Theft Prevention Program” that shows how you will identify and deal with any red flags that come up in those accounts.

The plan must include four elements. It must describe how you will:

  • identify relevant red flags
  • detect red flags
  • prevent and mitigate identity theft in response to the red flags
  • keep your program up-to-date

What are the Red Flags?
According to the FTC’s guide, Fighting Fraud with the Red Flags Rule, red flags are “potential patterns, practices, or specific activities indicating the possibility of identity theft.” Since each business is different, the FTC does not spell out specifically what the red flags are. However, it does lay out five categories that can be used in framing an identity theft-prevention program. The categories are:

  • Alerts, notifications, and warnings from a credit reporting company
  • Suspicious documents
  • Suspicious personal identifying information
  • Suspicious account activity
  • Notice from other sources

The American Veterinary Medical Association (AVMA) has been receiving an increased number of calls and e-mails regarding the rule, said Adrian Hochstadt, JD, assistant director of state legislative and regulatory affairs. The AVMA has set up an informational page with resources to help practices address the new rule, including an informational webinar on April 30.

The FTC says there will be no criminal penalties for non-compliance, but there could be financial penalties. Plus, it is a good idea to have the plans in place anyway, said AVMA’s Hochstadt.

“Regardless of the technical application of the rule, veterinary practices are well-advised to get familiar with the problem of identity theft and examine how they can protect their clients’ and employees’ private information,” Hochstadt said. “Sound risk management and business practices dictate that you don’t want private information of your employees and clients to fall into the wrong hands.”


E-mail the FTC with questions: [email protected]

NEWStat Legislation & regulation