Last month, we blogged about whether the Red Flag Rules apply to medical care providers.  According to the FTC, they may also apply to retailers.

The Federal Trade Commission’s recently released “how-to” guide says that the Red Flag Rules apply to “retailers that offer financing or help consumers get financing from others, say, by processing credit applications.” However, most retailers have been caught off guard by this interpretation, since they are not accustomed to being considered “creditors.” Fortunately for them, in the nick of time for the May 1st compliance deadline, the FTC extended the deadline to August 1, 2009, giving retailers time to put their policies in place in a thoughtful and reasoned manner.

The Red Flag Rules require covered entities to implement a program to detect and respond appropriately to signs of identity theft. For a retailer that processes credit applications, this would mean, as an example, detecting situations in which a customer may be attempting to apply for credit using another person’s identity.

The FTC has reiterated that a covered entities’ red flag program should be “risk-based,” so if there is a relatively low risk of identity theft given the way the retailer processes credit applications, the red flag program can be simple. That said, there still needs to be a program in place.

As an example, where a retailer does nothing more than receive credit applications from customers and pass them on to a partner bank, the retailer could implement a program that includes, among other things:

  • Checking customers’ photo IDs when they apply for credit
  • Requesting multiple forms of ID
  • Training employees to know how to spot a fake ID
  • Following the guidelines for authenticating applicants provided by its partner bank
  • Documenting these procedures in writing, and training employees accordingly

The more involvement a retailer has in the processing of a credit application, the more robust its red flags program ought to be.