The Red Flags Rule was promulgated in 2007 pursuant to Section 114 of the Fair and Accurate Credit Transaction Act of 2003 (FACT Act), amending the Fair Credit Reporting Act. The main provision of the Red Flags Rule requires “creditors” and “financial institutions” with “covered accounts” to develop and implement a written Identity Theft Protection Program. The focus of such a program is to implement a formal procedure to detect, prevent, and mitigate any signs of identity theft in an organization or among its clientele. A FTC Business Alert issued in June 2008 defines creditors, financial institutions and covered accounts.

According to the business alert, a “creditor” is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. Creditors include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Where non-profit and government entities defer payment for goods or services, they, too, are to be considered creditors. Most creditors, except for those regulated by the Federal bank regulatory agencies and the NCUA, come under the jurisdiction of the FTC.

A “financial institution” is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a "transaction account" belonging to a consumer. Most of these institutions are regulated by the federal bank regulatory agencies and the NCUA. Financial institutions under the FTC's jurisdiction include statechartered credit unions and certain other entities that hold consumer transaction accounts. A transaction account is a deposit or other account from which the owner makes payments or transfers. Transaction accounts include checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.

A “covered account” is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. A covered account is also an account for which there is a foreseeable risk of identity theft, for example, small business or sole proprietorship accounts.

The definition of “creditor” and more importantly, who must comply with the Red Flags Rule, has been a topic of pointed debate. Awareness of this debate is important because of the upcoming compliance deadline. Despite ongoing confusion in numerous different industries, the FTC may not issue another extension of the enforcement/compliance deadline.

On the question of who is a “creditor” for example, the FTC has made clear that it intends to include health care providers (including doctors’ offices, hospitals, and other health-related businesses and organizations) within the regulatory scope of the Red Flags Rule. In response to a September 30, 2008 letter from the American Medical Association, the FTC outlined the agency’s position in regard to the Red Flags Rule’s applicability. The FTC stated that “health care professionals are covered by the [Red Flags] Rule when they regularly defer payment for goods and services.” The FTC further clarified its position on physicians by stating, “Congress would need to exclude physicians explicitly from the Fair and Accurate Credit Transaction Act’s definition of creditor for them to be excluded from the Red Flags Rule.”

A source of confusion is the definition of “creditor” being “activity-based, not industry based.” In other words, the method in which an organization bills its clients is more determinative than the nature of the industry or profession in which the organization is classified. This distinction is adopted from the definition of “creditor” in the Equal Credit Opportunity Act (ECOA). Due to this distinction, it is difficult to generalize whether a certain profession or organization as a whole is a creditor. With that said, confusion continues to arise as entire industries inquire about their exposure under the Red Flags Rule.

The FTC’s legal argument in support relies on the granting of substantial deference to the Federal Reserve Board’s “Regulation B” and the Official Staff Commentary to Regulation B. That commentary explicitly includes hospitals, doctors, and lawyers as examples of service providers who may be considered a creditor under the ECOA.

The cost of complying with the rule’s requirements should be modest given the extent of agency guidance available. Due to the Red Flags Rule’s wide-ranging applicability, the requirements of the rule allow for substantial discretion on behalf of the organization. In short, the rule requires organizations to develop, implement, and administer an Identity Theft Prevention Program as mentioned above. This written program must identify any indicators (“red flags”) of identity theft, design a method in which to detect red flags, establish a procedure for responding to any red flags detected, and periodically review of the program. One of the key aspects to the rule is that the program must be in writing and adopted by the organization’s Board of Directors.

The cost of not complying with the rule’s requirements is high. Violators could be subject to statutory penalties and potentially negative publicity. In regard to statutory penalties, the FTC may seek a civil penalty of not more than $2,500 per violation. A state may also seek statutory damages in an amount not more than $1,000 per violation. There is no criminal penalty or private right of action for violations at present.

For those seeking more information, please contact Allen E. Molnar at (212) 313-5401/amolnar@harrisbeach.com, Joyce Parker at (585) 419-8628/jparker@harrisbeach.com, or the Harris Beach attorney with whom you generally work.

This alert does not purport to be a substitute for advice of counsel on specific matters.

Harris Beach has offices throughout New York state, including Albany, Buffalo, Ithaca, New York City, Niagara Falls, Rochester, Saratoga Springs, Syracuse and Yonkers, as well as Newark, New Jersey.