The Federal Trade Commission ("FTC") has published an Interim Final Rule on identity theft "red flags," narrowing the creditors covered by the rule. Under the original Red Flags Rule, the FTC and several banking agencies issued joint regulations requiring financial institutions and creditors (as those terms are defined in the law) to implement a written program to identify, detect, and respond to identity theft risks that might arise in their businesses. In December 2010, Congress passed the Red Flag Program Clarification Act, which limits the Red Flags Rule to specific creditors. Based on the statute, the new rule applies only to creditors that, in the ordinary course of business, regularly: (1) obtain or use consumer reports in connection with a credit transaction; (2) furnish information to consumer reporting agencies in connection with a credit transaction; or (3) advance funds to or on behalf of a person, based on the obligation of the person to repay the funds or repayable from specific property pledged by the person. The definition of "financial institutions" will not change. The new rule will become effective on February 11, 2013.
TIP: Financial institutions and creditors should determine whether they will be affected by the change in definition of "creditors" under the new Red Flags Rule. Even if a business finds itself carved out by the new definition, however, written identity theft policies and procedures for discovering and responding to suspicious activity aren't a bad idea. These programs can help lessen potential exposure under more traditional deceptive and unfair business practices laws.