The Federal Trade Commission (“FTC”) recently issued an interim final rule amending its “Red Flags Rule,” 16 C.F.R. Part 681. The amendment, which affects “creditors” under the FTC’s jurisdiction, limits the applicability of the Rule by making reference to a new definition of “creditor” in Section 1681m(e)(4) of the Fair Credit Reporting Act (“FCRA”). Section 1681m(e)(4) was part of the “Red Flag Program Clarification Act” enacted by Congress in December of 2010. The FTC’s interim rule directly references this new definition, discussed below. Formerly, the Red Flags Rule used the much broader definition of creditor in Section 1681a of FCRA, which in turn referenced the definition in Section 702 of the Equal Credit Opportunity Act (ECOA).
The Red Flags Rule was originally promulgated in 2007 to require that “financial institutions” and “creditors” implement identity theft prevention and mitigation programs. Although banks and other financial institutions have been subject to the Red Flags Rule for years by federal banking regulators, the applicability of the Rule to entities under the FTC’s jurisdiction has been subject to much debate.
Specifically, the FTC’s interpretation of the term “creditor” was the center of significant controversy up until the 2010 Red Flag Program Clarification Act. Originally, the FTC took the position that the definition of “creditor” (including “any person who regularly extends, renews, or continues credit”), also included any entity that “regularly permits deferred payments for goods or services.” This position was based on Regulation B, promulgated by the Treasury under ECOA. The FTC stated that its Red Flags Rule therefore applied to an estimated 11 million businesses in the United States that provided services on credit (i.e., provided services and billed later), including legal and medical services. The potential scope the Rule spawned a number of lawsuits and the FTC repeatedly delayed implementation to address the lack of public awareness. We discussed the potential scope of the Rule in a number of client alerts in 2009. The December 2010 Red Flag Program Clarification Act addressed these concerns by introducing a new definition of the term “creditor” for purposes of the Rule. Generally speaking, the term “creditor” under the Red Flags Rule has been narrowed to creditors under ECOA that also regularly and in the ordinary course of business (i) obtain or use consumer reports in connection with a credit transaction; (ii) furnish information to consumer reporting agencies in connection with a credit transactions; or (iii) advance funds to or on behalf of a person, based on an obligation to repay the funds or repayable from specific property pledged by or on behalf of the person.