FTC Red Flags Rule Clarified

The Red Flag Program Clarification Act of 2010, which went into effect on Dec. 18, 2010, amends the Fair Credit Reporting Act (FCRA) with respect to the applicability of identity theft guidelines for creditors. The measure was the result of continued confusion over which businesses were required by the Red Flags Rule to implement an Identity Theft Prevention Program designed to detect, prevent and mitigate identity theft.

Financial regulatory agencies, including the Federal Trade Commission, issued the Red Flags Rule under the FCRA for the purpose of preventing identity theft. The Rule requires creditors and financial institutions with covered accounts to implement programs to detect warning signs, or “red flags,” that could indicate identity theft. The Rule also requires service providers for applicable creditors and financial institutions to develop and implement policies and procedures designed to detect, prevent and mitigate the risk of identity theft. By virtue of their services provided to a creditor or financial institution, debt collectors and asset buyers may be considered a service provider for purposes of the Rule, and may be required to implement an Identity Theft Prevention Program to the extent required by their clients.

Prior to the amendment, the FTC’s broad definition of creditor would have required certain small businesses whose functions were incidental to credit extension—such as small medical practices and law offices—to undertake arguably costly and unnecessary measures to prevent identity theft. Because the applicability of the Rule to certain creditors was not entirely clear, the FTC delayed implementation of the rule multiple times to allow for Congressional clarification.

The new measure clarifies which entities must comply with the Red Flags Rule. The amendment limits the definition of “creditor” to only those who “regularly and ordinarily in the course of business” (1) obtain or use consumer reports, (2) furnish information to consumer reporting agencies in the course of a credit transaction, or (3) advance funds on behalf of a person, based on the obligation to repay. The third category does not include a creditor that advances funds on behalf of a person for expenses incidental to a service provided by the creditor to the person.

As a result, entities that allow payment to be deferred for a service are exempt from the Red Flags Rule unless they engage in one of the previously described practices.

However, while the clarification could exempt parties such as attorneys, physicians, dentists, health care providers and others from the Red Flags Rule, it does not create an outright exemption for these or any other service provider or industry. Entities that “regularly and ordinarily in the course of business” use consumer reports or report accounts to consumer reporting agencies (either directly or through the use of collection agencies) may potentially still be covered by the Red Flags Rule.

However, the amendments do not impact debt collectors to the extent they serve as service providers for creditors or financial institutions.

Entities should review the rules to determine whether they meet the Rule’s definition of a creditor. Until interpretive guidance is issued by the FTC, the safest course of action for entities using consumer reports or credit reporting is to comply with the Red Flags Rules.

Regardless of whether or not an entity is covered by the Red Flags Rule, it is still a wise compliance decision to implement policies to guard against identity theft.

The enforcement date of the Red Flags Rule for entities subject to the FTC went into effect on Dec. 31, 2010.