Enforcement of Red Flags Rule by FTC Begins
By Derek L. Prestin
January 13, 2011
On December 31, 2010, the Federal Trade Commission began enforcing the “Red Flags Rule” (the “Rule”), which may be found at 16 C.F.R. 681. However, on December 18, 2010, the Red Flag Program Clarification Act of 2010 was signed into law, which revised the scope of businesses to which the Rule applies. Consequently, the Rule will be enforced by the FTC against a narrower group of businesses than originally anticipated.
Amendment of Definition of “Creditors” under the Rule
The Red Flag Program Clarification Act of 2010 amended the Fair Credit Reporting Act, namely the definition of “creditor” applicable to the red flag guidelines in the Fair Credit Reporting Act. Specifically, 15 U.S.C. 1681m(e) was amended by adding language clarifying the definition of “creditor” under the statute.
Under the revised definition put into effect by the Red Flag Program Clarification Act of 2010, the Rule now defines a “creditor” as a business or organization that regularly and in the ordinary course of business: Obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction; Furnishes information to consumer reporting agencies in connection with a credit transaction; or Advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person.
The revised definition of “creditor” also includes any business that is classified as a “creditor” by the rules or regulations of the federal agency (such as the National Credit Union Administration, FDIC, or other similar such agency) having regulatory authority over the business. Therefore, it is foreseeable that the FTC could use this authority to expand the reach of the Rule in the future as other federal agencies expand their classifications of “creditors.”
However, under the revised definition, “creditor” does not include a business that advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person, where the advancement of funds is to pay expenses that are incidental to a service provided by the business.
As a result of the change in the definition of “creditor” applicable to the Rule under the provisions of the Red Flag Program Clarification Act of 2010, businesses such as law firms, accounting firms, medical practices, dental practices, and other medical practices, and certain small businesses, will no longer fall within the scope of the Rule. For these reasons, we recommend that most businesses that fall, or may fall, within the revised definition of “creditor,” should anticipate that they will be subject to the Rule as a “creditor” and that they will likely be found to have “covered accounts” if they utilize or maintain records of “personally identifiable information” of individuals or businesses that are subject to a “foreseeable risk of identity theft.” Any such business or organization should adopt a Red Flags Policy that complies with the Rule as soon as possible. If you have questions regarding the above, please contact Derek Prestin, the author of this article, or any of the attorneys in the Business Transactions Practice Group of Ruder Ware.
Back to all News & Insights
This document provides information of a general nature regarding legislative or other legal developments, and is based on the state of the law at the time of the original publication of this article. None of the information contained herein is intended as legal advice or opinion relative to specific matters, facts, situations, or issues, and additional facts and information or future developments may affect the subjects addressed. You should not act upon the information in this document without discussing your specific situation with legal counsel.
© 2023 Ruder Ware, L.L.S.C. Accurate reproduction with acknowledgment granted. All rights reserved.