Congress Passes Legislation Clarifying Red Flags Rule; Compliance Deadline Approaches

Privacy & Information Security and Investment Management Update

Date: December 10, 2010


As the deadline approaches for compliance with the Federal Trade Commission's (FTC) "Red Flags Rule" ("Rule") (on which we have earlier commented), and in an effort to resolve the uncertainty created when Congress directed the FTC and other federal regulatory agencies to promulgate the Rule, Congress has passed long-awaited legislation clarifying which entities must comply with the Rule.

The prior legislation mandated that "financial institutions" and "creditors" that offer or maintain "covered accounts" adopt and use policies and procedures aimed at preventing fraudsters from assuming the identity of another when obtaining credit. The term "creditors" was broadly defined in the original legislation, and even more broadly in the FTC's original Red Flags Rule, and seemingly included entities that had not previously been required to comply with similar FTC rules in other contexts. Accordingly, confusion abounded regarding which industries, entities and activities were subject to the new Rule. As a result, the FTC repeatedly extended the compliance deadlines as Congress and the agencies worked to clarify the Rule's coverage.

The newly passed legislation provides some clarity by limiting the definition of "creditors" to those entities that regularly and in the ordinary course of business: "(i) obtain[] or use[] consumer reports, directly or indirectly, in connection with a credit transaction; (ii) furnish[] information to consumer reporting agencies ... in connection with a credit transaction; or (iii) advance[] funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person." The new legislation provides that "creditors" explicitly do not include those entities that "advance[] funds on behalf of a person for expenses incidental to a service provided," such as physicians, dentists, attorneys or other professionals. However, the legislation also grants the promulgating agency authority over any creditor that, in the agency's estimation, "offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft."

President Obama is expected to sign the new legislation into law before the FTC's January 1, 2011 compliance deadline.

For more information on the Red Flags Rule, go to

Thompson Hine is Available to Assist You

Thompson Hine's Privacy and Information Security practice, an interdisciplinary and international group of lawyers with experience in complex national and international issues including privacy, data protection, information security, records retention, employment and labor law, consumer protection, Internet law and intellectual property, can help you develop, implement and benefit from globally compliant data management practices. Our team has assisted numerous companies in developing and implementing global privacy and data protection programs and strengthening their strategic use of competitively critical data.