United States: Red Flag Program Clarification Act Exempts Certain Creditors from Red Flag Rules

On 18 December 2010, the Red Flag Program Clarification Act of 2010 (RFPCA) was signed into law by President Obama.¹ The RFPCA aims to narrow the universe of "creditors" that must comply with the Fair Credit Reporting Act (FCRA) Identity Theft Red Flags Rules, which require the maintenance of a written Identity Theft Prevention Program.

The Federal Trade Commission (FTC) and federal banking agencies² jointly issued Red Flags Rules in 2007,³ with each agency's rule applicable to certain types of entities under that agency's jurisdiction. The FTC's rule applies to certain "financial institutions" and "creditors" that are subject to administrative enforcement of FCRA by the FTC.⁴ There has been substantial uncertainty regarding whether certain entities that clearly are not "financial institutions" could be deemed to be "creditors" that would be covered by the FTC's rule. The FTC had interpreted the term "creditor" to apply very broadly, and stated that the term could cover persons that allowed deferred payment for their services, such as lawyers and doctors.⁵ Providers of professional services objected to this interpretation, and a number of lawsuits were filed seeking to enjoin the FTC from enforcing the rules against such entities. Because of this uncertainty, the FTC repeatedly delayed its enforcement of the rule and finally determined to begin enforcement as of 1 January 2011.

The RFPCA lessens the uncertainty by specifying certain factors that must be met in order for an entity to be deemed a "creditor" for purposes of the Red Flags Rules. However, the RFPCA does not explicitly exempt any type of entity or industry, and the FTC and other agencies are authorized by the RFPCA to issue regulations extending coverage by the Red Flags Rules to entities not specified in the RFPCA.

The FTC is currently in the process of producing updated guidance for the public in response to the enactment of the RFPCA. Pending clear regulatory guidance or the issuance of proposed regulations, entities that may be covered by the FTC's rules should carefully review the RFPCA to evaluate how it may affect them.

The Red Flags Rules

The Red Flags Rules require that each "financial institution" or "creditor" that offers or maintains one or more "covered accounts"⁶ must develop and implement a written Identity Theft Prevention Program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account.⁷ This program must be tailored to the size and complexity of the financial institution or creditor and the nature of its operations.

The term "creditor" was defined in the Red Flags Rules to have the same meaning as in FCRA generally (which uses the definition of "creditor" in Section 702 of the Equal Credit Opportunity Act (ECOA)): "any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit."⁸ Under ECOA, "credit" is "the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefor."⁹

The FTC took the view that the ECOA definition of "creditor" would include professionals such as lawyers, doctors, and accountants to the extent that they allowed consumers to pay for services after the services were rendered. Lawsuits by groups such as the American Bar Association and American Medical Association followed, seeking rulings that such professionals should not be considered "creditors" for purposes of Red Flags.

The Red Flag Program Clarification Act

The RFPCA narrows the term "creditor" for Red Flags purposes by defining it as follows:

• A "creditor," as defined in Section 702 of ECOA (see definition above),¹⁰ that regularly and in the ordinary course of business:
• • obtains or uses consumer reports in connection with credit transactions;
  • furnishes information to a consumer reporting agency (CRA) in connection with a credit transaction; or
  • advances funds to or on behalf of a person based on that person's obligation to repay the funds or repayable from specific property pledged by or on behalf of the person.
  • • most significantly, under the RFPCA, this third category, however, does not include a creditor that advances funds on behalf of a person that are incidental to a service provided by the creditor to the person
• The RFPCA definition of "creditor" also includes any other type of "creditor," as defined in Section 702 of ECOA, as the agency having authority over that creditor may determine appropriate by rule promulgated by that agency, based on a determination that such creditor offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft. This provision would likely implicate the FTC to a greater degree than it would affect the banking agencies, which have jurisdiction over a well-defined universe of entities, and all "financial institutions" under the banking agencies' jurisdiction are already subject to those banking agencies' Red Flags Rules.

Legislative history indicates that the exclusion for an entity that "advances funds on behalf of a person that are incidental to a service provided by the creditor to the person" is meant to exempt professional service providers such as lawyers, doctors, and dentists.¹¹ However, even those entities could still be included in the definition of "creditor" if they otherwise fall within the ECOA definition and, in the ordinary course of business, obtain or use consumer reports in connection with credit transactions or furnish information to CRAs in connection with credit transactions.

Importantly, the RFPCA also allows the FTC and the banking agencies to include, by regulation, any other entity that is a "creditor" under ECOA that the FTC determines to offer or maintain accounts that are subject to a reasonably foreseeable risk of identity theft. This creates a potential tension between provisions in the RFPCA, as the FTC, by regulation, could arguably include entities that would otherwise be excluded by the RFPCA. Because this would have to be done through the rulemaking process, there would presumably be at least one public comment period during which the public could express support for, or object to, the coverage of any entity as a creditor.

The FTC is currently updating guidance on its website in light of the new law. Pending the issuance of clear regulatory guidance or new regulations, it will be necessary to carefully consider a given entity's activities in light of the RFPCA in determining whether to comply with the Red Flags Rules.

Footnotes

1 P.L. 111-319 (Dec. 18, 2010).

2 The Office of the Comptroller of the Currency (OCC); Federal Reserve Board (FRB); Federal Deposit Insurance Corporation (FDIC); Office of Thrift Supervision (OTS); and National Credit Union Administration (NCUA).

3 12 CFR part 41 (OCC); 12 CFR part 222 (FRB); 12 CFR parts 334 and 364 (FDIC); 12 CFR part 571 (OTS); 12 CFR part 717 (NCUA); and 16 CFR part 681 (FTC). Although often collectively referred to as the Red Flags Rules, these rules consist of three distinct rules: the Identity Theft Red Flags Rule, the Address Discrepancies Rule, and the Card Issuer's Rule. The RFPCA affects only the first rule, and references to the Red Flags Rules in this advisory should be read as referring only to the Identity Theft Red Flags Rule.

4 16 CFR § 681.2(a).

5 See, e.g., "The Red Flags Rule: Frequently Asked Questions" ("Under the Rule, the definition of "creditor" is broad, and includes businesses or organizations that regularly provide goods or services first and allow customers to pay later. Examples of groups that may fall within this definition are utilities, health care providers, lawyers, accountants, and other professionals, and telecommunications companies."), available at www.ftc.gov/bcp/edu/microsites/redflagsrule/faqs.shtm.

6 A "covered account" is defined as (i) an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account; and (ii) Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks. See, e.g., 16 CFR § 681.2(b)(3).
7 See, e.g., 16 CFR § 681.2(d).

8 16 CFR § 681.2(b)(5) (the term "creditor" has the same meaning as in 15 USC § 1691a(e).

9 15 USC § 1691a(d). The Red Flags Rules use this same definition of "credit." See, e.g., 16 CFR § 681.2(b)(4).

10 15 USC § 1691a(e).

11 "The legislation also makes clear that lawyers, doctors, dentists, orthodontists, pharmacists, veterinarians, accountants, nurse practitioners, social workers, other types of health care providers and other service providers will no longer be classified as "creditors" for the purposes of the Red Flags Rule just because they do not receive payment in full from their clients at the time they provide their services, when they don't offer or maintain accounts that pose a reasonably foreseeable risk of identity theft." 156 Cong. Rec. S8288 (daily ed. Nov. 30, 2010) (statement of Sen. Dodd).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.