Member Links

IACC Blue Book

IACC Logos

Scope

IACC Listserve

Benchmarking

Members Only Resources

Bylaws

	Home About .

Does the Red Flags Rule Apply to Commercial Debt Collection Agencies?

As a general matter, the Red Flags Rule applies to debt collectors collecting commercial debt and requires debt collectors to develop and implement written policies and procedures designed to detect, prevent, and mitigate the risk of identity theft.

The Red Flags Rule requires creditors and financial institutions that offer or maintain covered accounts to adopt and implement an identity theft prevention program. The Federal Trade Commission (FTC) recently delayed enforcement of the Rule to Nov. 1, 2009 (previously Aug. 1, 2009) to give creditors and financial institutions more time to develop and implement a written identity theft prevention program.

Specifically, the Red Flags Rule applies to financial institutions and creditors that maintain covered accounts. A financial institution is an entity that holds a transaction account where an individual can make payments or transfers (e.g., banks, credit unions, etc.). A creditor is defined as an entity that extends, renews, or continues credit. The definitions for a financial institution and creditor do not distinguish between consumer and commercial accounts, transactions, or credit for purpose of the Red Flags Rule.

Notably, financial institutions and creditors must develop and implement a written identity theft prevention program for covered accounts, which includes accounts “for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft.”

As a result, financial institutions and creditors extending credit or arranging a transaction for commercial purposes are not exempted from complying with the Red Flags Rule. The definition for a covered account is important because if there is no reasonably foreseeable risk of identity theft for a commercial account, compliance with the Red Flags Rule may not be required.

Commercial debt collectors are likely not a financial institution or creditor, but still have an obligation to comply with the Red Flags Rule because the Rule requires service providers who perform an activity in connection with a covered account for a financial institution or creditor to develop and implement reasonable policies and procedures designed to detect, prevent, and mitigate identity theft. The Rule defines a service provider as a person that provides a service directly to the financial institution or creditor (i.e., collecting debt on behalf of a creditor).

Because the definition of a covered account is extremely broad, any creditor, financial institution, or service provider for a creditor or financial institution that reasonably foresees problems arising from identity theft should be prepared to design policies and procedures to address identity theft concerns. Commercial debt collectors should consult with their client(s) to determine if the client fits the definition of a creditor or financial institution. If so, as a service provider, the commercial collector should confer with their client to determine what reasonable policies and procedures are appropriate to satisfy the Red Flags Rule. This is particularly important because under the Rule, creditors and financial institutions are required to exercise appropriate and effective oversight of service provider arrangements.

The Rule does not specifically state what must be included in an identity theft prevention program, but instead provides flexibility to implement a program that best fits the day-to-day business actions of an agency. Some agencies may have many of these procedures already in place in complying with federal and state laws concerning identity theft. It is also important to underscore the Red Flags Rule requires all policies and procedures to be in writing.

IACC members may also wish to consult with qualified counsel as to what policies and procedures are required and which may need to be updated to bring the agency in compliance with the Red Flags Rule.

In addition, the FTC’s Web site offers resources to help entities determine if they are covered under the Rule and how to comply with these rules if required, which includes templates and guides for businesses. The FTC’s Red Flag information can be located at: www.ftc.gov/redflagsrule.