Posted on March 8, 2011 by Michael Epshteyn

ABA's Lawsuit Challenging Applicability of "Red Flags Rule" to Attorneys is Dismissed as Moot

The D.C. Circuit Court of Appeals has dismissed as moot a lawsuit challenging the applicability to lawyers of the "Red Flags Rule," which requires financial institutions and creditors to implement identity theft prevention programs. The organized Bar had challenged the applicability of the Rule to lawyers and had won in the lower court. Since the Red Flag Clarification Act recently passed by Congress would exempt most lawyers from coverage under the Rule, the Court found that litigation no longer is necessary or appropriate.

By way of background, the Red Flags Rule was promulgated by the Federal Trade Commission ("FTC") and the federal banking agencies pursuant to the Fair and Accurate Credit Transactions Act of 2003 ("FACT Act"). Under the Rule, a "creditor" -- which was defined broadly to include any business that accepts deferred payment for goods or services -- must establish a written identity theft prevention program if it offers certain types of consumer accounts. In April 2009, the FTC issued an Extended Enforcement Policy stating that "professionals, such as lawyers or health care providers, who bill their clients after services are rendered" would be considered creditors subject to the Rule. The American Bar Association ("ABA") sued to prevent the Rule from applying to attorneys.

In October 2009, the district court ruled in favor of the ABA and enjoined the FTC from enforcing the Rule "against lawyers engaged in the practice of law." After the FTC appealed the district court's ruling, the Red Flag Program Clarification Act of 2010 ("Clarification Act") -- which amended the definition of "creditor" as used in the Red Flags Rule and the FACT Act -- was signed into law. 

In its March 4 ruling, the Court of Appeals held that the enactment of the Clarification Act served to moot the ABA's claims. As explained by the Court in its opinion, the Clarification Act narrowed the definition of "creditor" to mean entities that not only accept deferred payments but also (i) obtain or use consumer reports, (ii) furnish information to consumer reporting agencies, or (iii) advance funds with an obligation of future repayment. Thus, the Court found, "the FTC's assertion that the term 'creditor' . . . includes 'all entities that regularly permit deferred payments for goods or services . . . such as lawyers or health care providers' . . . is no longer viable." In addition, the Court noted that the legislative history of the Clarification Act "confirms Congress' intention to bar the regulation of lawyers based solely on deferred billing practices."

The Court observed that the FTC could pursue notice-and-comment rulemaking to promulgate new rules pursuant to which it might regulate lawyers and law firms. The Clarification Act left open this possibility by allowing the FTC to determine through rulemaking that a particular type of entity is a creditor under the Rule, based on a finding that the entity offers accounts that are "subject to a reasonably foreseeable risk of identity theft." However, the Court found as "merely hypothetical possibilities" this possibility -- as well as the prospect that the FTC would pursue a new enforcement policy against lawyers and law firms. Thus, the Court could not identify any currently-actionable dispute.

For the time being, attorneys who accept deferred payments for their services will remain outside the coverage of the Red Flags Rule (which became effective for non-financial institution creditors on December 31, 2010), provided they do not engage in the specific additional activities listed above. However, attorneys should note that they do not enjoy a blanket exemption from the Rule, and whether the FTC will engage in new rulemaking under the Clarification Act to broaden the scope of the Rule remains to be seen. And, of course, it is incumbent upon attorneys as part of their ethical duties to clients, to safeguard the information provided to them, including information which if released improperly could lead to identity theft.
Tags: , , , , , ,
Posted on November 22, 2010 by Candace J. Martin

Bill Introduced to Limit Scope of Red Flags Rule

On November 17th, just six weeks before the Red Flags Rule is slated for FTC enforcement, a bipartisan bill (H.R. 6420) seeking to limit the scope of the Red Flags Rule was introduced. The bill, entitled the “Red Flag Program Clarification Act of 2010,” seeks to amend the definition of “creditor” under the Fair Credit Reporting Act and, hopefully, finally put to rest the scope of coverage issue that has been the source of great controversy.

The law establishing the Red Flags Rule was passed in January 2008, with a scheduled effective date of November 1, 2008.  For financial institutions, the Rule is operative, but due to confusion and concerns over the scope of the rule – over what entities qualify as covered “creditors” -- the FTC has delayed enforcement five times. The current date for FTC enforcement to commence is December 31, 2010.  In announcing the most recent enforcement delay, the FTC stated that it was delaying enforcement of the Rule while “Congress considers legislation that would affect the scope of entities covered by the Rule.”  

The Red Flags Rule aims to prevent identity theft by ensuring that entities are aware of possible signs of identity theft. The Rule requires “financial institutions” and “creditors” who maintain “covered accounts” to develop written identity theft prevention programs. Under the current Rule, a “creditor” is broadly defined as any person or entity that (a) regularly extends, renews, or continues credit; (b) regularly arranges for the extension, renewal, or continuation of credit; or (c) any assignee of an original creditor who participates in the decision to extend, renew, or continue credit for a covered account. The broad definition of “creditor” adopted under the Rule encompasses a wide variety of organizations, including many health care entities, law firms, and accountants.

H.R. 6420 seeks to narrow the scope of the Rule by exempting from the definition of “creditor” a creditor that “advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.” The amended definition of “creditor” would also include any other creditors deemed (through rulemaking) by their appropriate regulating authority to offer or maintain “accounts that are subject to a reasonably foreseeable risk of identity theft.’’

The new legislation comes while the FTC’s application of the Rule is facing several challenges in federal court from organizations such as the American Bar Association (ABA), American Medical Association and the American Institute of Certified Public Accountants. Most recently, on November 15, 2010, the U.S. Court of Appeals for the D.C. Circuit heard oral arguments regarding the ABA’s challenge to the FTC’s application of the Rule to attorneys.

Tags: , , ,
Posted on May 28, 2010 by Timothy Tobin

FTC Red Flags Rule Enforcement Delayed Again (and New Legal Challenge)

The FTC announced today that it is delaying enforcement of its FACTA Red Flags Rule yet again, this time through December 31, 2010. This is the fifth time the FTC has delayed enforcement of its beleaguered red flag rule, which it originally had planned to enforce beginning November 1, 2008. This latest delay, just like the previous one, comes at the request of members of Congress who plan to amend the FACTA red flag provisions to narrow the scope of the entities that are covered. On May 25, 2010, members of Congress introduced S. 3416, which would exclude health care, accounting and law practices with fewer than 20 employees as well as certain other small businesses. 

 

 

The further delay comes as FTC Chairman Leibowitz acknowledges the agency’s Rule’s shortcomings: “Congress needs to fix the unintended consequences of the legislation establishing the Red Flags Rule – and to fix this problem quickly.”

As previously covered in the Chronicle, the last delay occurred on October 30, 2009 when the FTC announced it would not begin enforcing the rule until June 1, 2010. That delay followed U.S. District Court for the District of Columbia's ruling that the Red Flags Rule does not apply to lawyers (for analysis of that decision, click here). It also followed the House of Representatives' unanimous passage in late October of HR 3763, which proposes to amend FCRA to exempt certain small businesses from the Red Flags Rule. Subsequently, in November 2009, the American Institute of Certified Public Accountants (AICPA) filed a lawsuit against the FTC challenging the applicability of the Red Flag Rule to Certified Public Accountants

Now the Red Flag Rule is facing a new legal challenge. On May 21, 2010, the American Medical Association (AMA), the American Osteopathic Association and the Medical Society of the District of Columbia filed a lawsuit against the FTC in the U.S. District Court for the District of Columbia challenging the Red Flag Rule and citing the court’s earlier decision regarding the applicability of the Rule to lawyers. In the latest lawsuit, these medical organizations argue that the Rule, which is applicable to financial institutions and creditors, unjustifiably "treats physician practices like banks, credit card companies and mortgage lenders."

 
Tags: , , , , , , , , , , , , , , , , , ,
Posted on October 30, 2009 by Timothy Tobin

FTC Delays Enforcement of Red Flags Rule for Fourth Time

The Federal Trade Commission (FTC) announced today that it is delaying enforcement of its FACTA Red Flags Rule until June 1, 2010 “[a]t the request of Congress.”  This is the fourth time the FTC has delayed the controversial red flags rule and it follows shortly on the heels of the U.S. District Court for the District of Columbia's ruling that the Red Flags Rule does not apply to lawyers.  It also follows the House of Representatives' unanimous passage last week of HR 3763, which proposes to amend FCRA to exempt certain small businesses from the Red Flags Rule.  The FTC's Red Flags Rule has been marred by confusion and uncertainty since it was proposed in July 2006.

Tags: , , , , , , , , , ,
Posted on August 27, 2009 by Timothy Tobin

Hogan & Hartson Prepares Guidance on Business Compliance with FTC Identity Theft Red Flags Rule

Businesses may be facing their last chance to comply with the FTC identity theft Red Flags Rule as the compliance deadline was extended over the Summer to November 1, 2009. On July 29, 2009, the Federal Trade Commission (“FTC”) announced that it will delay enforcement of its identity theft “Red Flags Rule”until November 1, 2009. This is the third time the FTC has delayed the enforcement date of the Red Flags Rule and each time the rationale has been largely the same – concern that some companies were “uncertain” or “not aware” that they were subject to the Rule (the prior delayed enforcement dates were May 1, 2009 and August 1, 2009). The latest announcement was accompanied by further FTC commitments to educate businesses about compliance with the Red Flags Rule. Given the confusion surrounding the Rule and its broad scope, companies that have not yet done so should carefully assess whether the Red Flags Rule applies to them and if so, develop an appropriate program.  Hogan & Hartson's guidance on this latest Red Flags development is attached here.

Tags: , , , , , ,