On December 7, 2010, Congress passed a bill amending the Fair Credit Reporting Act definition of "creditor" for Red Flags Rule purposes, thereby narrowing the scope of entities that must comply with the Federal Trade Commission's December 31, 2010 deadline to develop and implement certain identity theft prevention programs.1 The bill is awaiting the President's signature.
The prior controversial Red Flags' definition of "creditor" could have potentially swept in many entities, including professional offices, e.g., physicians, dentists, and law firms. The amendment generally excludes from the Rule's scope entities whose credit activities are limited to allowing customers to pay for a product or service at a later time.
The new definition limits application of the Rule only to a "creditor" that:
1) uses consumer reports in connection with a credit transaction;
2) furnishes information to consumer reporting agencies in connection with a credit transaction; or
3) advances funds to or on behalf of a person based on an obligation of that person to repay the funds from specific property pledged by or on behalf of the person. Creditors that "advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person" are excluded.
This definition will raise new interpretive issues about its scope. The amendment also allows the FTC and the federal banking agencies by rule to expand this new definition of "creditor" based on a determination that a creditor "offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft."
1See Red Flag Program Clarification Act of 2010, S.3987. For previous alerts and detail about the Red Flags Rule, see, e.g., September 2, 2008 Red Flags Rule Alert; October 24, 2008 Red Flags Rule Alert; November 5, 2009 Red Flags Rule Alert; November 30, 2010 Red Flags Rule Alert.