The Federal Trade Commission’s latest delay in enforcing the Identity Theft Red Flags Rule is slated to expire on December 31, 2010. This fifth delay, which the FTC announced on May 28, 2010, was requested by members of Congress, who had been working to respond to the outcry over the FTC’s broad interpretation of the Rule. In the latest legislative initiative, on November 17, 2010, representatives Adler (D-NJ), Broun (R-GA) and Simpson (R-IN) advanced a bill (HR 6420) that seeks to limit the scope of the FTC’s Red Flags Rule by amending the Fair Credit Reporting Act’s (FRCA’s) definition of "creditor."
The FTC’s Red Flags Rule implements Section 114 of the FCRA. The Rule requires certain creditors and financial institutions subject to the FTC’s jurisdiction to develop and implement a written identity theft prevention program designed to detect, prevent and mitigate fraud attempted or committed through identity theft.
The cause of the multiple enforcement delays is the Rule’s definition of "creditor" and the FTC’s broad interpretation of the term. Specifically, the FTC has taken the position that, in addition to entities that lend money or participate in credit decisions, a "creditor" subject to the Rule includes any entity that sells goods or services and allows customers to pay for the goods or services later. The FTC’s broad interpretation of the term "creditor" has thus turned any business that employs invoice billing into a creditor subject to the Rule.
The proposed bill seeks to largely limit the applicability of the Red Flags Rule to entities commonly understood to be creditors. Pursuant to the bill, "creditors" would be defined as entities that:
- obtain or use consumer reports, directly or indirectly, in connection with a credit transaction;
- furnish information to consumer reporting agencies (see 15 U.S.C. 1681s-2) in connection with a credit transaction; or
- advance funds to or on behalf of a person (based on the person’s obligation to repay the funds or repayable from property pledged by or on behalf of the person).
More importantly, the proposed bill specifically excludes from the definition of "creditor" entities that advance funds "to or on behalf of a person for expenses incidental to a service provided by the creditor to that person." This exclusion suggests that entities that both provide a product or service and allow customers to pay for the product or service at a later time would not be subject to the Red Flags Rule, provided such entities do not engage in the activities enumerated in bullets (1) or (2) above.