Archive for the ‘Red Flags Rule’ category

Court of Appeals Analyzes Red Flag Program Clarification Act

March 8, 2011

In the first case to discuss the Red Flag Program Clarification Act of 2010, the Court of Appeals dismissed the American Bar Association’s lawsuit against the Federal Trade Commission (FTC) as moot.  The American Bar Association filed suit in 2009 after the FTC issued an Extended Enforcement Policy, explaining that “professionals, such as lawyers or health care providers, who bill their clients after services are rendered,” would be considered “creditors” under the statute and, therefore, subject to the Rule’s requirements.  The Court determined that the Red Flag Program Clarification Act mooted the case because “the Clarification Act . . . clarifies that, to be a ‘creditor’ subject to the Red Flags Rule requirements, one must not only regularly extend, renew, or continue credit . . . , but must also ‘regularly and in the ordinary course of business,’ (i) obtain or use consumer reports, (ii) furnish information to consumer reporting agencies, or (iii) advance funds with an obligation of future repayment.”  The Court continued: “Most importantly, at least with respect to the matters in dispute in this case, the Clarification Act makes it plain that the granting of a right to ‘purchase property or services and defer payment therefore’ is no longer enough to make a person or firm subject to the FTC’s Red Flags Rule – there must now be an explicit advancement of funds.  In other words, the FTC’s assertion that the term ‘creditor,’ as used in the Red Flags Rule and the FACT Act, includes ‘all entities that regularly permit deferred payments for goods or services,’ . . .  is no longer viable.” 

Thus, the Court of Appeals confirmed the analysis of the Red Flag Program Clarification Act discussed in the previous blog posting.  Although the case involved the application of the Red Flags Rule to lawyers, the Court’s analysis should be equally applicable to municipal utilities, which were previously subject to the Red Flags Rule because of deferred payment for goods and services. 

However, the Court also noted that it would not prematurely comment on new rules that the FTC might promulgate to regulate lawyers.  As stated in the previous blog posting, the FTC has the authority to engage in rulemaking to include entities within the coverage of the Red Flags Rule that maintain accounts subject to a reasonably foreseeable risk of identity theft. 

A link of the Court’s opinion is provided here.

Advertisements

Municipal Utilities and the Red Flag Program Clarification Act of 2010

February 9, 2011

As previously posted on this blog, the Federal Trade Commission (FTC) delayed enforcement of the Red Flag Rules until December 31, 2010, in large part due to extensive litigation and controversy regarding the scope of the Rules.  According to the FTC’s press release, during the delay period, Congress was scheduled to consider legislation that would alter the scope of entities covered by the Rule, and more specifically the definition of a “creditor.”

At the end of December 2010, Congress passed the Red Flag Program Clarification Act of 2010, which as expected, changed the definition of “creditor.”  Though Congress redefined the term creditor, it did not clearly include or exclude specific types of entities, such as utilities, from the purview of the Red Flags Rule.  In short, it is not clear whether municipal utilities are still required to comply with the Red Flags Rule.  However, until the FTC revises its guidance, it is best to begin enforcing the Identity Theft Prevention Program that your municipal utility adopted in anticipation of the December 31st deadline.

Before the Clarification Act was enacted, only “creditors” and “financial institutions” with one or more “covered accounts” were required to develop and implement a written Identity Theft Prevention Program.  A “creditor” was defined as an entity that regularly extended, renewed, or continued credit.  A “creditor” included businesses or organizations that regularly deferred payment for goods or services or provided goods or services and billed customers later.  Municipal utilities were considered “creditors” under this Rule both because utilities defer payment for services and because the FTC’s regulations specifically referenced utilities as an example of a “creditor.”

The Clarification Act, however, changed the definition of a “creditor.”  Now, a “creditor” is defined as any person who regularly extends, renews, or continues credit, and who regularly and in the ordinary course of business:

(1) obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction; or

(2) furnishes information to consumer reporting agencies in connection with a credit transaction; or

(3) advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person.

Finally, Congress stated that the term “creditor” includes any other type of creditor, as the term was previously defined prior to the Clarification Act, if the Federal banking agencies, the National Credit Union Administration, or the Federal Trade Commission deem that the entity continues to be a “creditor” by regulation.  In order to enact such a regulation, the Federal banking agencies, the National Credit Union Administration, and the Federal Trade Commission must make a determination that such creditor offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft. 

Based upon the Congressional Record in both the House and Senate, it appears that Congress wanted to limit the scope of the Red Flags Rule to those creditors that use consumer reports, furnish information to consumer reporting agencies, and to those creditors that loan money.  However, the Act specifically gives some discretion to the FTC and other regulatory agencies to include creditors which offer or maintain accounts that are subject to a reasonably foreseeable risk of identity theft.  To date, the FTC has not updated its regulations to include any other “creditors” within the scope of the Act.

From this new definition of “creditor,” a few basic principles can be distilled:

(1) Municipal utilities met the “old” definition of a creditor, so if your utility regularly obtains or uses consumer reports or if it provides information to consumer reporting agencies, your utility is still subject to the Rules.  Because the definition of a “creditor” includes the indirect use of consumer reports, your utility is probably still subject to the Rules, for example, if it contracts with collection agencies that obtain or use consumer reports or that report delinquencies to a consumer reporting agency.

(2) If your utility (and any collection agencies you contract with) does not obtain or use consumer reports or furnish information to consumer reporting agencies, your utility is no longer covered by the Red Flag Rules, except in the rare circumstance that you loan funds to customers.  Some utilities may provide conservation loans, septic loans, or other utility-related loans to customers, in which case, your utility would be a “creditor” under subparagraph (3).

(3) Even if your utility does not obtain or use consumer reports, furnish information to consumer reporting agencies, or provide loans to customers, the FTC or another federal regulatory agency may enact regulations to include utilities within the scope of the Red Flag Rules in the near future.  The FTC cited utility accounts as sources of identity theft in its previous regulations, and therefore, it seems likely that the FTC will include utilities within the scope of the Red Flag Rules in its revised regulations.  Because of this likelihood, it may be wise to continue to implement your Identity Theft Prevention Program in the interim.

(4) Remember that the Clarification Act has not changed the definition of a “covered account.”  Even if your utility continues to be a “creditor” under the new definition, only those creditors which maintain “covered accounts” must develop and implement a written Identity Theft Prevention Program.  “Covered accounts” are those which are offered or maintained by a creditor “primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions” or “for which there is a reasonably foreseeable risk to customers” of identity theft.

A link to the text of the Red Flag Program Clarification Act is provided here.

A link to the FTC’s webpage regarding Red Flag Rules is provided here.

If you have further questions regarding the Clarification Act or need assistance in drafting your Identity Theft Prevention Program please contact Kristin Eick at keick@omwlaw.com or 206-447-7000.

FTC Extends the Deadline for Red Flags Rule (Again)

June 9, 2010

At the request of several Members of the Congress, the FTC has delayed enforcement of the Red Flags Rule until December 31, 2010.  According to the FTC’s press release, during the delay period, Congress will be considering legislation that will alter the scope of entities covered by the Rule.  However, the FTC stated that if Congress passes legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010, the FTC will begin enforcement as of that effective date.

The press release can be found here.

FTC Extends Enforcement Deadline for Red Flags Rule

November 2, 2009

The FTC has extended the deadline for enforcement of the Red Flags Rule until June 1, 2010, at the request of Congress.  This delay comes on the heels of a U.S. District Court ruling on October 30, 2009, which held that the FTC may not apply the Red Flags Rule to law firms.  The Commission previously delayed enforcement of the Rule until November 1, 2009.  The FTC’s Press Release may be found here.  Other guidance materials may be found on the MRSC and FTC websites and on previous blog postings.

Cities Must Comply With Red Flags Rule By November 1st

October 8, 2009

The Federal Trade Commission has issued regulations requiring financial institutions and creditors to develop and implement written identity theft prevention programs by November 1, 2009, under the Fair and Accurate Credit Transaction Act of 2003 (FACTA).  Municipal utilities are subject to these requirements, and the City Councils of all cities that operate utilities must adopt programs that meet the requirements of FACTA. 

Below is a presentation explaining Red Flags rule requirements for municipalities.

 These identity theft prevention programs must provide for the identification, detection, and response to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft. (more…)