Who Must Comply with FACTA's Red Flags Identity Theft Rule?

According to the FTC, any company that "regularly defer(s) payment for goods or services". . .On October 31, 2007, the FTC released the Red Flags Identity Theft Rule (the "Red Flags Rule" or the "Rule").  The Red Flags Rule requires "covered entities" to conduct a risk assessment to determine if they have "covered accounts," which are consumer-type accounts that pose a reasonable risk of identity theft.  If a covered entity does have covered accounts the Red Flags Rule requires the entity to develop and implement a written Identity Theft Program to identify, detect and respond to possible risks of identity theft.  The deadline to comply with the Red Flags Rule was November 1, 2008.  The FTC, however, announced that it would suspend enforcement of the Rule until May 1, 2009 (note that the enforcement date suspension DID NOT impact the compliance deadline -- all covered entities should have been in compliance by November 1, 2008). Recently a controversy has arisen as to what constitutes a "covered entity" that must comply with the Rule.  The FTC has taken the position, based on various definitions in the Rule and other relevant statutes, that the Rule applies to any company that "regularly defers payment for goods or services."  This can include any company that does not require payment at the time goods or services are provided, including for example doctors, hospitals, lawyers, merchants and repairmen.  As such the potential scope of the Rule is enormous and all companies should investigate whether they are subject to it.

The FTC's Position on the Scope of the Red Flags Rule While it is obvious that the Red Flag Rule applies to traditional financial institution type companies (e.g. banks, credit unions, mortgage companies, etc.), the FTC's interpretation of "covered entities" could impose the Red Flags Rule on "non-financial" entities.  The Rule defines "covered entities" as either "creditors" or "financial institutions."  The current controversy revolves around the term "creditor," which is defined by the Rule by referring to the definition in the Equal Creditor Opportunity Act ("ECOA").  Under the ECOA, "creditor" means:

"any person who regularly extends, renews, or continues credit;  any person who regularly arranges for the extension, renewal or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew or continue credit."

The ECOA defines "credit" as "the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefor."  In a letter to the American Medical Association on this issue, the FTC cited Federal Reserve Board's elaboration on the definition of creditor and credit:

In its Official Staff Commentary to Regulation B, the Federal Reserve Board makes clear that the terms "creditor" and "credit" under the ECOA should be interpreted broadly so as to include all entities that defer payments, even in the normal course of a traditional billing process.' As the Official Staff Commentary states, "[i]f a service provider (such as a hospital, doctor, lawyer, or merchant) allows the client or customer to defer the payment of a bill, this deferral of a debt is credit for purposes of the regulation, even though there is no finance charge and no agreement for payment in installments.

In the same letter, the FTC also cited favorably to a legal treatise on the issue:

Similarly, one recent legal treatise on the subject explains that "[b]ecause credit under the ECOA involves any simple deferral of payment, even if there are no finance charges or installments, the ECOA applies to many transactions where the consumer pays after receiving the goods or services, such as doctor and hospital bills, bills from repair persons and other workers, and even a local store where a customer runs up a tab.""

The Impact of the FTC's Interpretation The FTC's interpretation of "creditor" potentially extends the Red Flags Rule to large swaths of the economy.  Taken to its logical conclusion, any company that does not require immediate payment for goods or services could be considered a "creditor."  This could include law firms, hospitals, insurance companies, telecommunication companies, doctors and a host of other businesses that provide products or services and bill for them later.  While the number of entities that need to comply with the Rule may be significant, the FTC also recognizes that entities posing a lower risk of identity theft may comply with the Rule by implementing simple (relate to high-risk entities) written Identity Theft Programs.  The difference between low-risk and high-risk will vary depending on the particular circumstances. What should a company do if it does allow deferred payments? At this point, it appears that such companies must investigate whether they handle "covered accounts" and ascertain the identity theft risk associated with those accounts.  The Rule is also, unfortunately, not clear on what constitutes a covered account in this context.  Moreover, since business models vary, the risk posed and red flags established will likely vary between companies.  Company's should retain counsel to work through these issues and help develop an Identity Theft Program. In theory at least, lower risk and less complex entities will face lower compliance burdens and costs to achieve compliance.  Nonetheless, because of the need to investigate the applicability of the law and the potentially fact-intensive process of assessing identity theft risk and crafting a program for a particular company, the costs may be significant for some companies (especially "high-risk" entities).  More coming on compliance burdens in a future article on this blog.