Limited Relief From Red Flags Rule Requirements

The Federal Trade Commission published the Red Flags Rule in October 2007 in an attempt to combat the risk of identity theft. The rule requires any entity defined as a “creditor” to institute an identity theft prevention program. Originally, the rule defined “creditor” very broadly and it included businesses and organizations that provide goods or services first and allow customers to pay later. This definition encompassed many types of businesses that are not generally considered creditors, such as accountants, attorneys, landscapers, home improvement contractors, dentists, physicians, and practically any other business that billed consumers in arrears for services provided, even mom and pop grocers. After several delays, the rule goes into affect December 31, 2010.

However, late in the day, December 8, 2010, the US House of Representatives passed a bill, which had already been approved by the Senate, which significantly narrows the scope of the businesses that will be considered creditors under the rule. At this writing, the President appears ready to sign the legislation. The legislation amends the definition of “creditor” to exclude an organization “that advances funds on behalf of a person for expenses incidental to a service provided by the [organization] to that person.” This change is intended to exclude businesses that bill for goods or services after the goods or services have been provided. This revision was advanced by bar associations, physicians, other health care providers, and various others, and will benefit not only those service providers, but numerous other businesses.

However, even those organizations that appear to be excluded under the new language need to be careful not to jump to conclusions. All businesses that provide services prior to requesting payment should examine their overall business practices because if they perform any of the activities outlined below, they will still be considered a creditor under the RFR and be subject to its requirements. Those activities are:

  • Obtain or use consumer reports, directly or indirectly, in connection with a credit transaction
  • Furnish information to consumer reporting agencies in connection with a credit transaction
  • Advance funds to or on behalf of a person, based on an obligation of that person to repay the funds or repayable from specific property pledged by or on behalf of the person

A failure to implement an identity theft prevention program by a business remaining under the rule’s still broad definition of a creditor, may subject the business to monetary penalties and civil suits by consumers.

For More Information

If you need assistance determining whether your organization remains subject to or how to comply with the Red Flags Rule, please contact Paul H. Schieber at 610.205.6040.

This News Alert has been prepared for informational purposes only and should not be construed as, and does not constitute, legal advice on any specific matter. For more information, please see the disclaimer.