Lame Ducks Tackle Red Flags; Relief is in Sight

Last week, the U.S. Senate adopted by unanimous consent a bill (S. 3987) that would limit the scope of the Federal Trade Commission's Red Flags Rule by amending the Fair Credit Reporting Act's (FCRA's) definition of "creditor." The Senate bill is identical to the bipartisan House proposal we covered in detail in our blog on November 22, 2010.

Both bills have been referred to the House Committee on Financial Services. Given that the House and Senate are now on the same page with respect to the Red Flags Rule, there is a good chance that this proposal will become law before the FTC begins enforcing the Rule on December 31, 2010.

The bills seek to largely limit the applicability of the Red Flags Rule to entities commonly understood to be "creditors". They would generally exclude from the Rule's scope organizations whose "credit" activities are limited to providing a product or service and allowing customers to pay for the product or service at a later time.

Specifically, if passed, the legislation would limit the definition of "creditors" under the FCRA to entities that:

  1. obtain or use consumer reports, directly or indirectly, in connection with a credit transaction;
  2. furnish information to consumer reporting agencies (see 15 U.S.C. 1681s-2) in connection with a credit transaction; or
  3. advance funds to or on behalf of a person (based on the person's obligation to repay the funds or repayable from property pledged by or on behalf of the person).

More importantly, the proposed bill specifically excludes from the definition of "creditor" entities that advance funds "to or on behalf of a person for expenses incidental to a service provided by the creditor to that person." This exclusion suggests that entities that both provide a product or service and allow customers to pay for the product or service at a later time would not be subject to the Red Flags Rule, provided such entities do not engage in the activities enumerated in bullets (1) or (2) above.

The legislation would leave the door open for the FTC to expand the definition of "creditor" through rulemaking, by making a determination that a particular type of creditor offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft. While this provision leaves open the possibility that the FTC would bring various types of creditors within the scope of the Red Flags Rule, it would set a procedural threshold for expanding the scope of the Rule, and appears to require the determination to be specific to the type of creditor.