After a three-year delay amid a swirl of controversy and
litigation over the types of entities covered under the Identity
Theft Red Flags Rule ("Red Flags Rule"), the Federal
Trade Commission ("FTC") has bowed to the will of
Congress and amended the rule to limit the scope of covered
entities, as reported in the Federal Register on December 6 [77 FR
72712]. The controversy revolved around the expanded definition of
"creditor," which provided the FTC with a jurisdictional
hook to mandate compliance with the rule by virtually all
businesses.
The Red Flags Rule requires creditors and financial institutions
that hold certain credit accounts to develop and implement a
written identity theft and prevention program. The program must
provide for identification and detection of and responses to
patterns, practices, or specific activities -- known as "red
flags" -- that could indicate identity theft. (See
July 28, 2009, Day Pitney Client Alert for details on the Red
Flags Rule.)
Under the FTC's former definition, creditors had been defined
as entities that regularly extend or renew credit or arrange for
others to do so and included any entity that regularly permits
deferred payment for goods and services. Under that definition,
entities subject to the rule included those that permit payment
after products are sold or services rendered, e.g., lawyers, health
care providers, accountants, retailers, and nonprofit
organizations.
After the American Bar Association successfully challenged the
authority of the FTC to include lawyers under the rule, Congress
stepped in and enacted the Red Flag Program Clarification Act [15
U.S.C. 1681m(e)(4)], which narrowed the scope of entities covered
as creditors. The clarification, which the FTC has inserted in the
amended rule, defines a creditor as an entity that in the ordinary
course of business involving a credit transaction regularly (i)
obtains or uses consumer reports, (ii) furnishes information to
consumer reporting agencies, or (iii) advances funds to or on
behalf of a person based on an obligation of the person to repay
the funds. Under the amended definition, mainly financial
institutions and other traditional lenders are covered. The
compliance date of the rule is February 11, 2013.
It is essential that entities correctly determine whether they
fall under the definition of "creditor" and, if so,
whether they maintain specified credit accounts. Entities so
designated should design and implement appropriate identity theft
prevention programs. Even in the absence of a legal obligation,
implementing a program containing elements of the rule would help
companies mitigate the risk of identity theft and reduce their
overall exposure.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.