FTC's Red Flags Rule Slated to Take Effect - Congress Tries Another Fix

The Federal Trade Commission's latest delay in enforcing the Identity Theft Red Flags Rule is slated to expire on December 31, 2010. This fifth delay, which the FTC announced on May 28, 2010, was requested by members of Congress, who had been working to respond to the outcry over the FTC's broad interpretation of the Rule. In the latest legislative initiative, on November 17, 2010, representatives Adler (D-NJ), Broun (R-GA) and Simpson (R-IN) advanced a bill (HR 6420) that seeks to limit the scope of the FTC's Red Flags Rule by amending the Fair Credit Reporting Act's (FRCA's) definition of  "creditor."

The FTC's Red Flags Rule implements Section 114 of the FCRA.  The Rule requires certain creditors and financial institutions subject to the FTC's jurisdiction to develop and implement a written identity theft prevention program designed to detect, prevent and mitigate fraud attempted or committed through identity theft.

The cause of the multiple enforcement delays is the Rule's definition of "creditor" and the FTC's broad interpretation of the term. Specifically, the FTC has taken the position that, in addition to entities that lend money or participate in credit decisions, a "creditor" subject to the Rule includes any entity that sells goods or services and allows customers to pay for the goods or services later. The FTC's broad interpretation of the term "creditor" has thus turned any business that employs invoice billing into a creditor subject to the Rule.

The proposed bill seeks to largely limit the applicability of the Red Flags Rule to entities commonly understood to be creditors. Pursuant to the bill, "creditors" would be defined as entities that:

  1. obtain or use consumer reports, directly or indirectly, in connection with a credit transaction;
  2. furnish information to consumer reporting agencies (see 15 U.S.C. 1681s-2) in connection with a credit transaction; or
  3. advance funds to or on behalf of a person (based on the person's obligation to repay the funds or repayable from property pledged by or on behalf of the person).

More importantly, the proposed bill specifically excludes from the definition of "creditor" entities that advance funds "to or on behalf of a person for expenses incidental to a service provided by the creditor to that person." This exclusion suggests that entities that both provide a product or service and allow customers to pay for the product or service at a later time would not be subject to the Red Flags Rule, provided such entities do not engage in the activities enumerated in bullets (1) or (2) above.

The proposed legislation leaves the door open for the FTC to expand the definition of "creditor" through rulemaking, by making a determination that a particular type of creditor offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft. While this provision leaves open the possibility that the FTC would bring various types of creditors within the scope of the Red Flags Rule, it would set at least a procedural threshold for expanding the scope of the Rule and would appear to require the determination to be specific to the type of creditor.
Although the attention in the debate about the Red Flags Rule has been on the definition of "creditor," the FTC's Rule also applies to financial institutions that are not regulated by the Federal Reserve, OCC, FDIC or NCUA. Financial institutions subject to the FTC's Red Flags Rule include entities such as state-chartered credit unions, mutual funds with check writing or debit privileges, insurance companies, brokers, dealers, investment advisers and investment companies. These and other financial institutions subject to the FTC's jurisdiction must have an identity prevention program in place by December 31, 2010, to the extent they are required to do so by the Rule.