Congress Passes Bill Limiting Application of FTC “Red Flags Rule”

This posting was written by Jeffrey May, Editor of CCH Trade Regulation Reporter.

This January, lawyers, doctors, and small businesses will most likely not have to comply with a Federal Trade Commission regulation, known as the "Red Flags Rule," which will require certain businesses to develop written identity theft prevention programs.

Yesterday, Congress passed legislation that will limit the application of the rule to financial institutions and creditors that regularly use consumer reports or furnish information to consumer reporting agencies.

The proposed "Red Flag Program Clarification Act of 2010" (S. 3987) now awaits the President's signature.

The FTC's Red Flags Rule (16 CFR Part 681) was promulgated under the Fair and Accurate Credit Transactions Act (FACTA). The rule, which is set to take effect on January 1, 2011, will require certain businesses and organizations to develop a written program that identifies and detects identity theft warning signs or "red flags."

As written, the FTC rule would apply to small businesses—such as health care providers—that do not require full payment at the time of service. However, the Red Flag Program Clarification Act of 2010 would amend the Fair Credit Reporting Act to prevent the application of the rule to entities that advance funds for expenses incidental to services provided.

FTC Chair's Statement

In a statement issued today, FTC Chair Jon Leibowitz said that he was "pleased that Congress clarified its law, which was clearly overbroad."

The chairman's statement went on to say that the rule gives businesses the flexibility to tailor their written ID theft detection program to the nature of the business and the risks it faces.

Businesses with a high risk for identity theft may need more robust procedures—like using other information sources to confirm the identity of new customers or incorporating fraud detection software. Groups with a low risk for identity theft may have a more streamlined program—for example, simply having a plan for how they’ll respond if they find out there has been an incident of identity theft involving their business.

The effective date for the Red Flags Rule has been delayed a number of times, as the agency awaited clarification from Congress or the courts. Most recently, the FTC postponed enforcement until December 31, 2010.

Reaction from Professional Associations

The American Bar Association lauded Congress for clarifying how the FTC should apply the Red Flags Rule. The ABA had sued the FTC to block the rules. The federal district court in Washington, D.C. last year ruled that the FTC lacked authority to apply its Red Flags Rules to attorneys (2009-2 Trade Cases ¶76,825).

"At last, the American legal profession has clear and final relief from attempts to solve a non-existent problem that would have created paper-pushing and raised legal costs," said ABA Chair Stephen Zack in a December 7 statement.

The American Medical Association also issued a statement on December 7, saying that "the bill will help eliminate the current confusion about the rule’s application to physicians."