The Federal Trade Commission has issued revised guidance that narrows the scope of covered entities for businesses that struggle with the question of whether they are considered to be “creditors” or “financial institutions” subject to the “Red Flags” Rule.

The Rule, which took effect in 2011, was developed pursuant to the Fair and Accurate Credit Transactions Act and mandates that “creditors” and “financial institutions” that have “covered accounts” develop and implement written identity theft prevention programs to help detect and respond to patterns, practices, or specific activities – the “red flags” – that could indicate identity theft.

To reflect changes made by the Red Flags Program Clarification Act, the FTC narrowed the kinds of creditors covered by the Rule. The revised guide, “Fighting Identity Theft with the Red Flags Rule: A How-To Guide for Business,” suggests companies ask themselves two questions.

First, does the company regularly defer payment for goods or services or bill customers, grant or arrange credit, or participate in the decision to extend, renew or set the terms of credit? If “yes,” an entity should move on to the second question.

Does the company or organization regularly and in the ordinary course of business get or use consumer reports in connection with a credit transaction; give information to credit reporting companies in connection with a credit transaction; or advance to (or for) someone who must repay them, either with funds or pledged property (excluding incidental expenses in connection with the services you provide them)?

If the business answers “yes” to any part of the second question, it is considered a creditor under the Red Flags Rule.

For those entities covered by the Rule, the guidance also offers a four-step manual on compliance and an FAQ section with examples.

To read the Red Flags Rule, click here.

To read the FTC’s “How-To Guide”, click here.

Why it matters: The latest guidance should provide greater clarity for businesses concerned about the application of the Red Flags Rule, especially as it narrows the focus of the Rule’s scope to a more limited group of “creditors.” The update is only the latest in the Rule’s brief but somewhat tortured history. Originally scheduled to take effect on January 1, 2008, controversy surrounding the scope of covered entities delayed the Rule five times. Lawsuits were also brought by the American Bar Association and the American Medical Association in which they maintained that members of their respective organizations should not be included among the covered entities.