On May 28, the Federal Trade Commission (FTC) announced that it would push the Red Flags Rule deadline to December 31, 2010. This extension will give Congress time to consider legislation that would affect the scope of entities covered by the Rule. In a statement about the delay, the FTC urged “Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered by the Rule and obviate the need for further enforcement delays.”

The Rule, which was supposed to go into effect on June 1, was developed under the Fair and Accurate Credit Transactions Act, in which Congress directed the FTC and other agencies to develop regulations requiring “creditors” and “financial institutions” to address the risk of identity theft. The Rule requires businesses and organizations which are creditors to develop a written program to spot the warning signs — or “red flags” — of identity theft. The Rule defines “creditor” to include any entity that regularly defers payments for goods or services or arranges for the extension of credit. For example, a company is a creditor if it regularly bills individuals after the completion of services, including for the remainder of medical fees not reimbursed by insurance. Similarly, companies that regularly allow purchasers to set up payment plans after services have been rendered are creditors under the Rule. Some other examples of companies that may be covered are finance companies; automobile dealers that provide or arrange financing; mortgage brokers; utility companies; telecommunications companies; non-profit and government entities that defer payment for goods or services; and businesses that provide services and bill later, including many doctors.

The Rule requires all such entities that have “covered accounts” to develop and implement written identity theft prevention programs. A covered account is defined as an account that allows multiple payments or transactions or any other account with a reasonably foreseeable risk of identity theft. If a company is a “creditor” with “covered accounts,” it must develop a written Identity Theft Prevention Program to identify and address the red flags that could indicate identity theft in those accounts.

This is the fifth time the FTC has delayed enforcement of the Rule, which the FTC originally had planned to enforce beginning November 1, 2008. Most recently, the FTC announced in October 2009 that at the request of certain members of Congress, it was delaying enforcement of the Rule until June 1, 2010, to allow Congress time to finalize legislation that would limit the scope of business covered by the Rule.

In this regard, the House has already passed a bill to exempt small health, legal, and accounting firms from the Rule. A nearly identical bill was also introduced in the Senate on May 25. The senators say the bill aims to protect small businesses like doctors’ and dentists’ offices, veterinary clinics and accounting offices that the FTC has mistakenly classified as “creditors.”

In the meantime, health, legal, and CPA professional groups have all filed lawsuits against FTC to enjoin enforcement of the rule. In October 2009, a U.S. District Court for the District of Columbia's ruled that the Rule does not apply to lawyers. Other industries seem to be following suit, as last week the American Medical Association, American Osteopathic Association and the Medical Society of the District of Columbia filed suit against the FTC charging that the Rule exceeds the powers delegated to it by Congress and that its application to physicians is “arbitrary, capricious and contrary to the law.”

In its most recent announcement the FTC urges Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered by the Rule and obviate the need for further enforcement delays.

In the interim, FTC staff has continued to provide guidance, both through materials posted on www.ftc.gov/redflagsrule, and in speeches and participation in seminars, conferences and other training events to numerous groups. The FTC also published a compliance guide for business, and created a template that enables low risk entities to create an identity theft program with an easy-to-use online form (www.ftc.gov/bcp/edu/microsites/redflagsrule/get-started.shtm).

Arent Fox is monitoring this issue. For more information, please contact Anthony V. Lupo or Sarah Bruno.

Anthony V. Lupo
lupo.anthony@arentfox.com
202.857.6353

Sarah L. Bruno
bruno.sarah@arentfox.com
202.775.5760