On 18 December 2010, the Red Flag Program Clarification Act of 2010 (RFPCA) was signed into law by President Obama.1 The RFPCA aims to narrow the universe of "creditors" that must comply with the Fair Credit Reporting Act (FCRA) Identity Theft Red Flags Rules, which require the maintenance of a written Identity Theft Prevention Program.
The Federal Trade Commission (FTC) and federal banking agencies2 jointly issued Red Flags Rules in 2007,3 with each agency's rule applicable to certain types of entities under that agency's jurisdiction. The FTC's rule applies to certain "financial institutions" and "creditors" that are subject to administrative enforcement of FCRA by the FTC.4 There has been substantial uncertainty regarding whether certain entities that clearly are not "financial institutions" could be deemed to be "creditors" that would be covered by the FTC's rule. The FTC had interpreted the term "creditor" to apply very broadly, and stated that the term could cover persons that allowed deferred payment for their services, such as lawyers and doctors.5 Providers of professional services objected to this interpretation, and a number of lawsuits were filed seeking to enjoin the FTC from enforcing the rules against such entities. Because of this uncertainty, the FTC repeatedly delayed its enforcement of the rule and finally determined to begin enforcement as of 1 January 2011.
The RFPCA lessens the uncertainty by specifying certain factors that must be met in order for an entity to be deemed a "creditor" for purposes of the Red Flags Rules. However, the RFPCA does not explicitly exempt any type of entity or industry, and the FTC and other agencies are authorized by the RFPCA to issue regulations extending coverage by the Red Flags Rules to entities not specified in the RFPCA.
The FTC is currently in the process of producing updated guidance for the public in response to the enactment of the RFPCA. Pending clear regulatory guidance or the issuance of proposed regulations, entities that may be covered by the FTC's rules should carefully review the RFPCA to evaluate how it may affect them.
The Red Flags Rules
The Red Flags Rules require that each "financial institution" or "creditor" that offers or maintains one or more "covered accounts"6 must develop and implement a written Identity Theft Prevention Program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account.7 This program must be tailored to the size and complexity of the financial institution or creditor and the nature of its operations.
The term "creditor" was defined in the Red Flags Rules to have the same meaning as in FCRA generally (which uses the definition of "creditor" in Section 702 of the Equal Credit Opportunity Act (ECOA)): "any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit."8 Under ECOA, "credit" is "the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefor."9
The FTC took the view that the ECOA definition of "creditor" would include professionals such as lawyers, doctors, and accountants to the extent that they allowed consumers to pay for services after the services were rendered. Lawsuits by groups such as the American Bar Association and American Medical Association followed, seeking rulings that such professionals should not be considered "creditors" for purposes of Red Flags.
The Red Flag Program Clarification Act
The RFPCA narrows the term "creditor" for Red Flags purposes by defining it as follows:
- A "creditor," as defined in Section 702 of ECOA (see definition above),10 that regularly and in the ordinary course of business:
- obtains or uses consumer reports in connection with credit transactions;
- furnishes information to a consumer reporting agency (CRA) in connection with a credit transaction; or
- advances funds to or on behalf of a person based on that person's obligation to repay the funds or repayable from specific property pledged by or on behalf of the person.
- most significantly, under the RFPCA, this third category, however, does not include a creditor that advances funds on behalf of a person that are incidental to a service provided by the creditor to the person
- The RFPCA definition of "creditor" also includes any other type of "creditor," as defined in Section 702 of ECOA, as the agency having authority over that creditor may determine appropriate by rule promulgated by that agency, based on a determination that such creditor offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft. This provision would likely implicate the FTC to a greater degree than it would affect the banking agencies, which have jurisdiction over a well-defined universe of entities, and all "financial institutions" under the banking agencies' jurisdiction are already subject to those banking agencies' Red Flags Rules.
Legislative history indicates that the exclusion for an entity that "advances funds on behalf of a person that are incidental to a service provided by the creditor to the person" is meant to exempt professional service providers such as lawyers, doctors, and dentists.11 However, even those entities could still be included in the definition of "creditor" if they otherwise fall within the ECOA definition and, in the ordinary course of business, obtain or use consumer reports in connection with credit transactions or furnish information to CRAs in connection with credit transactions.
Importantly, the RFPCA also allows the FTC and the banking agencies to include, by regulation, any other entity that is a "creditor" under ECOA that the FTC determines to offer or maintain accounts that are subject to a reasonably foreseeable risk of identity theft. This creates a potential tension between provisions in the RFPCA, as the FTC, by regulation, could arguably include entities that would otherwise be excluded by the RFPCA. Because this would have to be done through the rulemaking process, there would presumably be at least one public comment period during which the public could express support for, or object to, the coverage of any entity as a creditor.
The FTC is currently updating guidance on its website in light of the new law. Pending the issuance of clear regulatory guidance or new regulations, it will be necessary to carefully consider a given entity's activities in light of the RFPCA in determining whether to comply with the Red Flags Rules.