The FTC has released a guidance document that clarifies the scope of its Red Flags for Identity Theft Prevention Rule (“the Red Flags Rule”) and provides a practical four step guide for covered entities to assess compliance.
The Red Flags Rule requires certain businesses and organizations to have in place a written identity theft program designed to detect “red flags” indicative of identity theft and take appropriate steps to prevent it. While the Red Flags Rule has always applied to “financial institutions” and “creditors,” the scope of the term “creditors” has generated some confusion. The initial Red Flags Rule defined “creditor” broadly by reference to the definition in the Equal Credit Opportunity Act and arguably covered any company that extended credit by allowing a customer to defer payment. This would include most businesses and service providers, including retailers, doctors, and lawyers.
After allegations that such a broad definition exceeded the FTC’s authority under the Fair and Accurate Credit Transactions Act (“the FACT Act”), Congress reacted by passing the Red Flag Program Clarification Act of 2010. The Act clarifies that for the purposes of the FACT Act, creditor means only those creditors that regularly and in the ordinary course of business either: (1) obtain or use consumer reports in connection with a credit transaction, (2) furnish information to consumer reporting agencies in connection with a credit transaction, or (3) advance funds to or on behalf of a person, based on an obligation of the person to repay. The Act further clarifies that creditor does not include an entity that “advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person."