The Federal Trade Commission’s interim final rule, which clarifies that most service providers are not subject to the Red Flags Rule, takes effect February 11, 2013.
The Federal Trade Commission (FTC) announced an interim final Red Flags Rule to narrow the definition of “creditor” consistent with the Red Flag Program Clarification Act of 2010 (Clarification Act). The Red Flags Rule requires “financial institutions” and “creditors” to develop and implement a written identity theft prevention program premised on identifying “red flags” of identity theft. The FTC is accepting comments until February 11, 2013, at which time the interim rule becomes effective.
The Red Flag Program as adopted by Congress was highly controversial because the FTC took an expansive view of who had to comply with the Red Flags Rule, and it can be expensive and complicated to establish an identity theft prevention program. Prior to the Clarification Act, any creditor as defined under the Fair Credit Reporting Act (FCRA) was subject to the Red Flags Rule, which included “any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew or continue credit.” The FTC interpreted this to include physicians and other health care providers who accept insurance or who permit payment plans by patients, as well as lawyers and other professionals who do not receive payment in full at the time of service.
The Clarification Act limited the application of the Red Flags Rule only to creditors (as defined under the FCRA above) that regularly and in the ordinary course of business:
- Obtain or use consumer reports in connection with a credit transaction, or
- Furnish information to consumer reporting agencies in connection with a credit transaction, or
- Advance funds to or on behalf of a person who has an obligation of repayment.
Although the Clarification Act seemed to exclude businesses that advanced funds or deferred payment, there was still some ambiguity as to how this would be implemented and applied. The interim final rule clarifies that “advancing funds” does not include “payment in advance for fees, materials, or services that are incidental to the creditor’s ability to provide another service that a person initiated or requested.” The rule notes, by example, that a lawyer who advances funds on behalf of a client to pay expert witness fees or other expenses related to the provision of legal services in the course of litigation is not “advancing funds.” The rule further distinguishes a commercial lender making a loan from a business advancing funds and deferring payment for fees incurred while providing services to a client or customer—the former is a creditor, while the latter is not for purposes of the Red Flags Rule.
This interim rule confirms that most service providers are not subject to the Red Flags Rule. However, any entity collecting consumer data must remain vigilant in how it collects, uses and safeguards that data. The FTC may pursue enforcement actions under the FTC Act when companies do not take reasonable privacy protection measures scaled to the level of risk their privacy practices pose. As such, it would be prudent for service providers to implement reasonable privacy practices, even if they fall outside the scope of the Red Flags Rule.