The FTC has issued an interim final rule to amend the Identity Theft “Red Flags Rule,” which requires certain “financial institutions” and “creditors” to develop and implement a written identity theft prevention program to identity, detect, and respond to possible incidents of identity theft. The interim rule amendment conforms the Red Flag’s Rule’s definition of “creditor”—which was originally so broad as to include virtually all businesses that accept deferred payment for goods or services, including law firms, medical practices, and others not typically considered “creditors”—with the narrower definition of that term set forth in the 2010 Red Flag Program Clarification Act (the “Clarification Act”).
Congress passed the Clarification Act to limit the range of entities covered as “creditors” under the Red Flags Rule, and the interim final rule simply adopts the statute’s narrower definition. Under that definition, an entity will not qualify as a “creditor” within the meaning of the Red Flags Rules unless, in addition to accepting deferred payment for goods and services, it regularly and in the ordinary course of business:
- Obtains or uses consumer reports (i.e., credit reports or other information obtained from a consumer reporting agency) in connection with a credit transaction;
- Furnishes information to consumer reporting agencies in connection with a credit transaction; or
- Advances funds to or on behalf of a person, in certain cases.
Perhaps more significant than the FTC’s adoption of the Clarification Act’s definition of “creditor”—which the agency described as a “technical revision” to ensure that the regulation is consistent with the text of the statute—is that the FTC expressly declined to exercise its discretionary authority to determine, through rulemaking, that other types of creditors (who do not meet the criteria listed above) are nonetheless covered by the Red Flags Rule because they offer or maintain accounts that are subject to a reasonably foreseeable risk of identity theft. The FTC stated in the interim final rule that it did not intend to use its discretionary rulemaking authority to extend coverage of the Rule to additional creditors “at this time.”
Although the door is still open to future rulemakings that would broaden the range of “creditors” subject to the Red Flags Rule, it appears that businesses can, for the time being, rely on the narrower definition adopted by the interim final rule.