Since 2008, the Federal Trade Commission (“FTC”) has announced multiple times that it would delay enforcement of the Red Flags Rule. The last Enforcement Policy announced a delay through December 31, 2010, so that Congress could consider legislation regarding the scope of entities covered by the Rule.
The Rule applies to “financial institutions” and “creditors” that maintain “covered accounts,” and it requires covered entities to implement a written program designed to detect patterns and practices that indicate possible identity theft—“Red Flags.” Because the Rule initially broadly defined “creditor” (an entity that regularly extends credit) and “covered account” (a consumer account that permits multiple transactions or a commercial account where there is a “reasonably foreseeable risk” of identity theft), a wide range of businesses were required to comply with the Rule (e.g. car dealers, health care providers, accountants, law firms, mortgage brokers, utility companies, and telecommunication companies).
After lawsuits were filed by groups representing health care providers, attorneys, and accountants seeking to enjoin the FTC from applying the Rule to their members, the House and Senate introduced legislation to limit the scope of the Rule. On December 18, President Obama signed the Red Flag Program Clarification Act of 2010, which limited the scope of the Rule by amending the definition of “creditor.”
The amended definition of “creditor” specifically excludes creditors “that advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.” The amended definition also includes a provision that will allow regulating authorities to promulgate a rule defining entities they regulate as a “creditor” upon making a “determination that such creditor offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft.”
Essentially, the amended definition of “creditor” exempts service providers like lawyers, doctors, and accountants from complying with the Rule. According to Sen. Mark Begich, D-Alaska, who sponsored the legislation in the Senate with Sen. John Thune, R-S.D., the basis for excluding service providers from complying with the Rule is that service providers generally do not offer or maintain accounts that pose a reasonable risk of identity theft.
The legislative amendment to the definition of “creditor” likely clears the way for the FTC to begin enforcement of the Rule on January 1, 2011.