FTC Red Flags Rule Enforcement Delay Ends Amid New Confusion
The enforcement delay of the Federal Trade Commission’s (FTC) Red Flags Rule ended—with little agency fanfare—on January 1, 2011, but some questions remain as to who will be deemed a “creditor” for purposes of the Rule. On December 18, 2010, the president signed into law the “Red Flag Program Clarification Act of 2010,” intending to narrow the reach of the Red Flags Rule. Due to ambiguities in the new law, some entities continue to question whether compliance is mandated.
The FTC Red Flags Rule applies to “creditors” that offer or maintain “covered accounts.” Prior to passage of the Red Flag Program Clarification Act, the FTC had broadly construed the term “creditor” to include health care providers, lawyers, accountants and other businesses not typically thought of as creditors, bringing these individuals and entities within the reach of the Red Flags Rule.
The new law modifies the definition of the term “creditor”—but the revised definition does not include a straightforward list of types of entities that are carved out from the definition. Instead, the new law limits application of the Red Flags Rule to creditors that regularly and in the ordinary course of business—
- obtain or use consumer reports, directly or indirectly, in connection with a credit transaction,
- furnish information to consumer reporting agencies in connection with a credit transaction, or
- advance funds to, or on behalf of, a person, based on an obligation of the person to repay the funds (or repayable from specific property pledged by, or on behalf of, the person)—but, importantly, the law exempts from this category creditors that advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.
Significantly, the new law further grants the FTC authority to include within the scope of the Red Flags Rule “any other type of creditor” that offers or maintains accounts that are subject to a “reasonably foreseeable risk of identity theft.”
Unless the FTC takes advantage of this authority, some who found themselves swept into the Red Flags Rule net solely on account of their invoicing procedures—allowing patients or customers to pay for services provided by the “creditor” within 30 days of invoicing, for example—will not need to comply with the Rule, consistent with the exception noted in the third category above. Many physicians, veterinarians and pharmacists may be able to take advantage of this clarification. In some circumstances, however, these types of providers may still need to comply with the Rule. Some stakeholders—including the American Medical Association—remain cautious as to how the new law will be implemented and are awaiting further guidance from the agency.
Previously, on five separate occasions, the FTC had delayed enforcement of the Red Flags Rule due to confusion surrounding the Rule’s scope. Some confusion remains, but the agency has not announced another enforcement delay.
Affected entities that have not done so already should take prompt action to come into compliance with the Red Flags Rule’s anti-identity theft requirements. For more on the Red Flags Rule and its requirements, including an overview of the components of a Red Flags Program and highlights of Red Flags Program administration requirements, see the Akin Gump alert, “FTC Set to Begin Enforcing Identity Theft Prevention Regulations on August 1, 2009.”
If you have any questions regarding this alert, please contact—