The Red Flags Rule requires certain businesses and organizations to have in place a written identity theft program designed to detect “red flags” indicative of identity theft and take appropriate steps to prevent it. While the Red Flags Rule has always applied to “financial institutions” and “creditors,” the scope of the term “creditors” has generated some confusion. The initial Red Flags Rule defined “creditor” broadly by reference to the definition in the Equal Credit Opportunity Act and arguably covered any company that extended credit by allowing a customer to defer payment. This would include most businesses and service providers, including retailers, doctors, and lawyers.

After allegations that such a broad definition exceeded the FTC’s authority under the Fair and Accurate Credit Transactions Act (“the FACT Act”), Congress reacted by passing the Red Flag Program Clarification Act of 2010. The Act clarifies that for the purposes of the FACT Act, creditor means only those creditors that regularly and in the ordinary course of business either: (1) obtain or use consumer reports in connection with a credit transaction, (2) furnish information to consumer reporting agencies in connection with a credit transaction, or (3) advance funds to or on behalf of a person, based on an obligation of the person to repay. The Act further clarifies that creditor does not include an entity that “advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person."

The FTC Guidance expands on the clarification provided by Congress by offering both general guidance and specific “FAQs” concerning the scope of the Red Flags Rule. With regard to the meaning of “regularly and in the ordinary course of business,” the Guidance explains that “[i]solated conduct does not trigger application of the rule, but if your business regularly furnishes delinquent account information to a consumer reporting company but no other information, that [would] satisf[y]” the requirement and fall within the scope of the Rule. The Guidance also explicitly advises that a professional who bills clients subsequent to rendering services would not qualify as a creditor under the Rule. On the other hand, the Guidance explains that any business that regularly uses credit reports would be subject to the Rule, even if a third party evaluates the credit reports on the business’s behalf.

The Guidance goes on to provide a “four-step process” towards compliance. Specifically, the Guidance advises covered entities to:

• Identify relevant red flags, including alerts from a credit reporting company, suspicious documents, and personal identifying information suggestive of fraud.
• Detect red flags by considering what procedures would work best in the particular organization.
• Prevent and mitigate identity theft by responding immediately and terminating service as necessary.
• Periodically update the program to stay on top of developments and industry best practices.

While the Guidance provides a helpful resource in facilitating compliance with the Red Flags Rule, companies must undertake their own analyses to customize their identity theft programs to meet the requirements of the Rule.

The rules also provide consumers an additional avenue to challenge the accuracy of information used to generate their credit rating. Historically, consumers were encouraged to deal with the credit reporting agency about the accuracy of such information. Under the new FACTA rules, furnishers are now required, in most cases, to investigate disputes that are submitted directly to them by consumers regarding the accuracy of information that furnishers provided to a credit reporting agency.

Click here to review the final inter-agency rules and guidelines.

Those rules were issued in November 2007. Under the regulations, financial institutions are required to develop and implement written programs to detect and respond to possible identity theft as indicated by certain "red flags." These newly required programs were to be in place on or before November 1, 2008.

The FAQs are the latest step in a number of efforts by the FTC and others to assist companies in complying with the new FACTA rules. For instance, in July 2008, the FTC launched an outreach program to explain the rules in greater detail, to clarify the types of institutions to which the rules apply, and to offer guidance as to how these institutions can comply. That outreach effort included an alert providing information relating to definitions and terms used in the rules, including the definitions of “financial institution,” “creditor,” “transaction account,” and “covered account.” In addition, the alert addressed five categories of “red flag” activities.

Financial institutions should continue to monitor for guidance from the federal agencies, and/or consult with counsel, regarding their compliance with the new FACTA rules.

If you answered E, “All of the above,” you are CORRECT. However, many companies do not realize their businesses are subject to consumer financial services laws. Consequently, their businesses may not be compliant and may be subject to litigation risk.

The focus of the Consumer Finance Law Blog is to keep – all on one site – traditional and non-traditional financial service providers subject to consumer financial services laws abreast of recent developments in:

• State consumer protection statutes and regulations
• State privacy statutes
• Privacy and consumer protection litigation
• Card Association Rules
• Equal Credit Opportunity Act
• Electronic Funds Transfer Act
• Fair Credit Reporting Act
• Fair Credit Transactions Act
• Fair Debt Collection Practices Act
• Payment Card Industry Data Security Standard
• State Money Transmitter Statutes
• State Retail Installment Sales Act
• State and Federal Unfair and Deceptive Trade Practices Acts
• TILA, RESPA, and related federal and state consumer disclosure and notice requirements
• Insurance coverage issues
• Legislation that may impact company compliance or create new litigation risk.

We welcome you and hope that you find our posts interesting, educational, and thought provoking. We also welcome your feedback and invite you to suggest topics or recent decisions of interest that you would like us to address.