The Federal Trade Commission (FTC) recently issued a “How-To Guide for Business” regarding the Commission’s identity theft prevention “Red Flags” rule, described below. The new guide includes a step-by-step set of questions that businesses can use to determine if they are either a “financial institution” or a “creditor” -- the two types of entities that are subject to the Red Flags rule. Given the inconsistency in the definitions of those terms as used in various contexts, the new guide should be a helpful tool for organizations that are unsure as to whether they are covered by the FTC’s definition, especially organizations that might never think of themselves as “creditors” for general purposes.

The FTC adopted an initial Red Flags rule in 2007 pursuant to the anti-identity theft provisions of the Fair and Accurate Credit Transactions Act of 2003 (the FACT Act). As prescribed by the FACT Act, the FTC’s rule (and similar rules issued by the federal banking agencies and, most recently, the Securities and Exchange Commission and the Commodity Futures Trading Commission) applies to any “financial institution” or “creditor” and requires those entities to adopt a written Identity Theft Prevention Program. Under all of the agencies’ rules, such programs must provide a means to identify and respond to “red flags” indicating a heightened risk of identity theft. Each “financial institution” or “creditor” must select the red flags appropriate for its organization, which might include, for example, alerts received from a consumer reporting agency; receipt of suspicious personal identifying information; a change of address of a customer coupled with a request for a new account; or the unusual use of a financial account.

In its initial Red Flags rule, the FTC broadly interpreted “creditor” to include virtually any entity that performed services for customers and allowed deferred payment for those services. That swept in professionals such as health care providers, attorneys, and accountants, among others. In response, the American Bar Association and the American Institute of Certified Public Accountants sued the FTC for exceeding its authority under the FACTA, and the American Medical Association and others urged Congress to clarify the intended scope of the “creditor” definition. Following passage of an amendment to the statute newly defining the term, the FTC revised its rule to track the new statutory definition.  The recently issued guide provides additional clarity with respect to the scope of the term and also instructs affected businesses regarding the proper design and implementation of their required Identity Theft Prevention Programs.

Among other things, the new guide clarifies that:

  • Accepting credit cards as a form of payment does itself not make you a “creditor” for purposes of the Red Flags rule.
  • Allowing your clients to pay you later also does not by itself make you a “creditor.”  Simply deferring payment does not constitute “advancing funds” under the rule.
  • Allowing your clients to defer payment and securing the right to payment with some collateral does constitute “advancing funds” and is covered by the Red Flags rule.
  • If your business uses credit reports—regularly and in the ordinary course of business—in connection with credit transactions, then you are a creditor.  This rule applies even if a third-party evaluates the reports and nobody in your organization ever sees them.
  • If your organization has “covered accounts” (accounts established primarily for personal, family or household purposes, or designed to permit multiple payments or transactions, or that otherwise are vulnerable to identity theft) then you must adopt a written program that complies with the Red Flags rule, even if identity theft is not a significant risk for your business.

A review of the new guide is warranted for businesses generally, to ensure a proper understanding of the applicable scope of the FTC’s Red Flags rule. And for those that are covered by the rule, the guide is also helpful in outlining the steps to take in adopting an Identity Theft Prevention Program.  But because each such program must be properly tailored to meet the risks posed to a particular organization, neither the guide nor the underlying rule can answer all questions regarding such programs.  Counsel for each organization will have to grapple with those questions in establishing and enforcing an individual written program that complies with the FTC’s rule.