After a three-year delay amid a swirl of controversy and litigation over the types of entities covered under the Identity Theft Red Flags Rule ("Red Flags Rule"), the Federal Trade Commission ("FTC") has bowed to the will of Congress and amended the rule to limit the scope of covered entities, as reported in the Federal Register on December 6 [77 FR 72712]. The controversy revolved around the expanded definition of "creditor," which provided the FTC with a jurisdictional hook to mandate compliance with the rule by virtually all businesses.

The Red Flags Rule requires creditors and financial institutions that hold certain credit accounts to develop and implement a written identity theft and prevention program. The program must provide for identification and detection of and responses to patterns, practices, or specific activities -- known as "red flags" -- that could indicate identity theft. (See July 28, 2009, Day Pitney Client Alert for details on the Red Flags Rule.)

Under the FTC's former definition, creditors had been defined as entities that regularly extend or renew credit or arrange for others to do so and included any entity that regularly permits deferred payment for goods and services. Under that definition, entities subject to the rule included those that permit payment after products are sold or services rendered, e.g., lawyers, health care providers, accountants, retailers, and nonprofit organizations.

After the American Bar Association successfully challenged the authority of the FTC to include lawyers under the rule, Congress stepped in and enacted the Red Flag Program Clarification Act [15 U.S.C. 1681m(e)(4)], which narrowed the scope of entities covered as creditors. The clarification, which the FTC has inserted in the amended rule, defines a creditor as an entity that in the ordinary course of business involving a credit transaction regularly (i) obtains or uses consumer reports, (ii) furnishes information to consumer reporting agencies, or (iii) advances funds to or on behalf of a person based on an obligation of the person to repay the funds. Under the amended definition, mainly financial institutions and other traditional lenders are covered. The compliance date of the rule is February 11, 2013.

It is essential that entities correctly determine whether they fall under the definition of "creditor" and, if so, whether they maintain specified credit accounts. Entities so designated should design and implement appropriate identity theft prevention programs. Even in the absence of a legal obligation, implementing a program containing elements of the rule would help companies mitigate the risk of identity theft and reduce their overall exposure.

www.daypitney.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.