Enforcement of Red Flags Rule by FTC Begins
2011-01/13 Derek L. Prestin Printer Friendly PDF Version

On December 31, 2010, the Federal Trade Commission began enforcing the “Red Flags Rule” (the “Rule”), which may be found at 16 C.F.R. § 681.  However, on December 18, 2010, the Red Flag Program Clarification Act of 2010 was signed into law, which revised the scope of businesses to which the Rule applies.  Consequently, the Rule will be enforced by the FTC against a narrower group of businesses than originally anticipated.

Amendment of Definition of “Creditors” under the Rule

The Red Flag Program Clarification Act of 2010 amended the Fair Credit Reporting Act, namely the definition of “creditor” applicable to the red flag guidelines in the Fair Credit Reporting Act.  Specifically, 15 U.S.C. § 1681m(e) was amended by adding language clarifying the definition of “creditor” under the statute.

Under the revised definition put into effect by the Red Flag Program Clarification Act of 2010, the Rule now defines a “creditor” as a business or organization that regularly and in the ordinary course of business:

Obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction;

Furnishes information to consumer reporting agencies in connection with a credit transaction; or

Advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person.

The revised definition of “creditor” also includes any business that is classified as a “creditor” by the rules or regulations of the federal agency (such as the National Credit Union Administration, FDIC, or other similar such agency) having regulatory authority over the business.  Therefore, it is foreseeable that the FTC could use this authority to expand the reach of the Rule in the future as other federal agencies expand their classifications of “creditors.”

However, under the revised definition, “creditor” does not include a business that advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person, where the advancement of funds is to pay expenses that are incidental to a service provided by the business.

As a result of the change in the definition of “creditor” applicable to the Rule under the provisions of the Red Flag Program Clarification Act of 2010, businesses such as law firms, accounting firms, medical practices, dental practices, and other medical practices, and certain small businesses, will no longer fall within the scope of the Rule.

For these reasons, we recommend that most businesses that fall, or may fall, within the revised definition of “creditor,” should anticipate that they will be subject to the Rule as a “creditor” and that they will likely be found to have “covered accounts” if they utilize or maintain records of “personally identifiable information” of individuals or businesses that are subject to a “foreseeable risk of identity theft.”  Any such business or organization should adopt a Red Flags Policy that complies with the Rule as soon as possible.

Please feel free to contact Derek Prestin, who prepared this article, or an attorney within the Business Transactions Practice Group of Ruder Ware if you need assistance or have any questions in regard to this article.

© 2011 Ruder Ware, L.L.S.C. Accurate reproduction with acknowledgment granted. All rights reserved.
This document provides information of a general nature regarding legislative or other legal developments. None of the information contained herein is intended as legal advice or opinion relative to specific matters, facts, situations, or issues, and additional facts and information or future developments may affect the subjects addressed.