After a three-year delay amid a swirl of controversy and
litigation over the types of entities covered under the Identity
Theft Red Flags Rule ("Red Flags Rule"), the Federal
Trade Commission ("FTC") has bowed to the will of
Congress and amended the rule to limit the scope of covered
entities, as reported in the Federal Register on December 6 [77 FR
72712]. The controversy revolved around the expanded definition of
"creditor," which provided the FTC with a jurisdictional
hook to mandate compliance with the rule by virtually all
The Red Flags Rule requires creditors and financial institutions
that hold certain credit accounts to develop and implement a
written identity theft and prevention program. The program must
provide for identification and detection of and responses to
patterns, practices, or specific activities -- known as "red
flags" -- that could indicate identity theft. (See
July 28, 2009, Day Pitney Client Alert for details on the Red
Under the FTC's former definition, creditors had been defined
as entities that regularly extend or renew credit or arrange for
others to do so and included any entity that regularly permits
deferred payment for goods and services. Under that definition,
entities subject to the rule included those that permit payment
after products are sold or services rendered, e.g., lawyers, health
care providers, accountants, retailers, and nonprofit
After the American Bar Association successfully challenged the
authority of the FTC to include lawyers under the rule, Congress
stepped in and enacted the Red Flag Program Clarification Act [15
U.S.C. 1681m(e)(4)], which narrowed the scope of entities covered
as creditors. The clarification, which the FTC has inserted in the
amended rule, defines a creditor as an entity that in the ordinary
course of business involving a credit transaction regularly (i)
obtains or uses consumer reports, (ii) furnishes information to
consumer reporting agencies, or (iii) advances funds to or on
behalf of a person based on an obligation of the person to repay
the funds. Under the amended definition, mainly financial
institutions and other traditional lenders are covered. The
compliance date of the rule is February 11, 2013.
It is essential that entities correctly determine whether they
fall under the definition of "creditor" and, if so,
whether they maintain specified credit accounts. Entities so
designated should design and implement appropriate identity theft
prevention programs. Even in the absence of a legal obligation,
implementing a program containing elements of the rule would help
companies mitigate the risk of identity theft and reduce their
On Halloween eve, three years after authorization by the JOBS Act, the SEC finally adopted rules permitting small ventures and business startups to raise up to $1 million over a 12-month period by selling shares...
The SEC recently issued under the JOBS Act the long-awaited crowdfunding rules, whereby small businesses may raise capital from a large number of investors, each of whom contributes a small amount of money, without going through the trouble of filing a registration statement with the SEC.
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
In her year and a half as Assistant Attorney General in charge of the Criminal Division, Leslie R. Caldwell has repeatedly emphasized the importance of a company having a compliance program fine-tuned to its specific risks to prevent fraud and corruption.
In our latest client alert, we provide a detailed overview of the final rules, Regulation Crowdfunding, which will be applicable to crowdfunding offerings conducted in reliance on Section 4(a)(6) of the Securities Act of 1933 as amended.