By: Michael Boeheim, Director, CIA CFE


Some nine million Americans will likely have their identities stolen this year, according to the Federal Trade Commission (FTC). Identity thieves may steal money, damage credit scores and rack up unpaid credit.

The goal of the Red Flags Rule is to reduce the risk of identity theft. Some commercial lenders mistakenly think it doesn’t apply unless they make personal loans. But the rule actually applies to many small business lenders, as well as business borrowers.

What the rule means

A team of Federal banking agencies and the FTC have come together to develop and enforce the Red Flags Rule. The rule requires creditors and financial institutions to create, implement and administer a written identity theft prevention program.

Who’s affected by it

Any financial institution that directly or indirectly holds consumer accounts must comply with the rule. Moreover, it applies to creditors who defer payment for goods or services, as well as those that arrange, renew, extend or set credit terms. The rule must be followed if the creditor regularly uses consumer reports or files reports with credit agencies in the ordinary course of business.

The FTC calls out small business and sole proprietor accounts as possessing a “reasonably foreseeable” risk of identity theft. If your bank requests personal financial statements from business owners, or it runs credit checks on people who guarantee your commercial loans, the rule will likely apply to you.

It also applies to many borrowers — including utility and telecommunication providers, auto dealers, and some financial services firms — that hold covered transaction accounts.

4 steps to compliance

To comply with the Red Flags Rule, you’ll need to follow this four-step process:

1.      Identify any and all relevant red flags. These include suspicious patterns or practices that can forewarn of the possibility of identity theft, such as signatures or documents that appear to be forged, inconsistent Social Security numbers or addresses, and undeliverable mail.

2.      Detect those red flags. Your bank should implement identity verification and authentication procedures to uncover possible red flags. You might ask to see prospective borrowers’ IDs, or perhaps run personal credit checks on them. PINs, signatures and security questions can help you confirm the identity of existing account holders.

3.      Mitigate and prevent theft. Red flags require appropriate and prompt responses, including contacting the customer, notifying law enforcement agencies or changing passwords.

4.      Update the program. New red flags will likely emerge and business models will change. So, as part of your annual “spring cleaning,” evaluate if you and your borrowers are doing all you can to protect personal information from identity theft.


Freed Maxick’s Asset Based Lending Team works with dozens of asset based lenders across the country. We can assist you in assessing your four steps to compliance. If you think you are not in compliance with the Red Flags Rule, contact us today.