By: J. Joseph McCoy
After more than two years of delays, the Federal Trade Commission (“FTC”) began enforcing the Red Flags Rule (“Rule”) on December 31, 2010. The Rule requires financial institutions and creditors with covered accounts to develop and implement a written identity theft prevention program. The program must include reasonable procedures to identify, detect, and respond to “red flags” – suspicious circumstances that indicate the risk of identity theft.
New law clarifies “creditor”
On December 18, 2010, the Red Flag Program Clarification Act of 2010 was signed into law. The Clarification Act defines “creditor” as one who regularly and in the ordinary course of business:
(1) obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction;
(2) furnishes information to consumer reporting agencies in connection with a credit transaction; or
(3) advances funds to or on behalf of a person, based on an obligation of repayment.
Previously, the FTC had interpreted the term “creditor” very broadly to include any business that allowed deferred payment for its products or services. The Clarification Act will exempt many of those businesses from complying with the Rule, as long as they do not meet one of the listed conditions.
However, there is still some uncertainty as to the current application of the Rule. The Clarification Act does not grant an outright exemption to any industry. Therefore, any business could still be covered if its practices cause it to fall under the definition of creditor.
In addition, credit transactions are still broadly defined to include standard invoice billing arrangements. Businesses that defer payment for goods or services may be covered if, for example, they use credit reports to determine whether to allow the deferred payment, or report past due accounts to a credit agency. It should be noted that merely accepting credit cards as a form of payment does not make a business a creditor under the Rule.
Steps to comply with the Rule
An identity theft prevention program must contain certain elements to comply with the Rule. Each program must include policies and procedures to (1) identify the red flags of identity theft that that particular entity may come across in its business; (2) detect those red flags in its day-to-day operations; (3) respond appropriately to detected red flags in order to prevent or mitigate identity theft; and (4) periodically update the program to account for new and changing risks.
Once developed, it is then the business’ responsibility to effectively administer the program. This includes training employees to follow the procedures set forth in the program and exercising appropriate oversight over third party service providers.
Penalties for noncompliance
The FTC may impose a fine of $3,500 for each violation of the Rule. For a business with many covered accounts, this fine could be significant. The FTC may also sue the creditor for injunctive relief requiring the creditor to comply with the Rule in the future and to provide reports to the FTC and the Court establishing that it is in compliance.
Even as now limited by the Clarification Act, if you have an account with or otherwise send information to a credit-reporting agency, you should promptly consider whether the Rule applies to your business.
Joe McCoy is a member of the firm and works in the Corporate & Business Law Group. Joe has represented dozens of companies in connection with business acquisitions and sales, providing counsel on all aspects of the transaction from negotiation to closing. In addition to his work on business transactions, Joe advises clients regarding business organization, governance, management, and growth.