It’s not surprising if you haven’t heard of the Red Flags Rule (“Rule”). That’s because since the Rule was originally slated to go into effect in January of 2008, members of the United States Congress have repeatedly asked the Federal Trade Commission (“FTC”) to delay implementation of the Rule while a legislative fix was sought limiting the entities that will be required to comply with the Rule. While that task has not been accomplished, the Rule is currently slated to become effective on January 1, 2011.

The purpose of the Rule is to reduce instances of identity theft. The Rule requires “financial institutions” and “creditors” with covered accounts to create a written program that identifies, detects and addresses the relevant warning signs – or “red flags” – of identity theft.

At first glance, most folks would conclude that community associations would not fall under the Rule. However, the FTC has broadly interpreted the term “creditor” to include “. . . businesses or organizations that regularly provide goods or services first and allow customers to pay later.” Under this interpretation, associations that enter into payment plans or stipulations for the payment of past due assessments will likely fall under the definition of “creditor” and be required to comply with the Rule. Similarly, associations that bill-back charges for services after they have been rendered will likely fall under the Rule.


Unfortunately, since the FTC has not yet enforced the Rule, we cannot tell you with certainty that the FTC will focus on community association compliance. However, we can tell you that a significant identity theft at an association could put associations on the FTC’s radar screen and the penalty for failure to comply with the Rule is $3,500.


To comply with the Rule, we recommend that you complete the FTC’s form for the “Do-It-Yourself Prevention Program for Businesses and Organizations at Low Risk for Identity Theft.”