November 24, 2014

Advertisement

November 21, 2014

Federal Trade Commission Announces Interim Final Red Flags Rule

The Federal Trade Commission’s interim final rule, which clarifies that most service providers are not subject to the Red Flags Rule, takes effect February 11, 2013.

The Federal Trade Commission (FTC) announced an interim final Red Flags Rule to narrow the definition of “creditor” consistent with the Red Flag Program Clarification Act of 2010 (Clarification Act).  The Red Flags Rule requires “financial institutions” and “creditors” to develop and implement a written identity theft prevention program premised on identifying “red flags” of identity theft.  The FTC is accepting comments until February 11, 2013, at which time the interim rule becomes effective.

The Red Flag Program as adopted by Congress was highly controversial because the FTC took an expansive view of who had to comply with the Red Flags Rule, and it can be expensive and complicated to establish an identity theft prevention program.  Prior to the Clarification Act, any creditor as defined under the Fair Credit Reporting Act (FCRA) was subject to the Red Flags Rule, which included “any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew or continue credit.”  The FTC interpreted this to include physicians and other health care providers who accept insurance or who permit payment plans by patients, as well as lawyers and other professionals who do not receive payment in full at the time of service.  

The Clarification Act limited the application of the Red Flags Rule only to creditors (as defined under the FCRA above) that regularly and in the ordinary course of business:

  • Obtain or use consumer reports in connection with a credit transaction, or
  • Furnish information to consumer reporting agencies in connection with a credit transaction, or
  • Advance funds to or on behalf of a person who has an obligation of repayment.

Although the Clarification Act seemed to exclude businesses that advanced funds or deferred payment, there was still some ambiguity as to how this would be implemented and applied.  The interim final rule clarifies that “advancing funds” does not include “payment in advance for fees, materials, or services that are incidental to the creditor’s ability to provide another service that a person initiated or requested.”  The rule notes, by example, that a lawyer who advances funds on behalf of a client to pay expert witness fees or other expenses related to the provision of legal services in the course of litigation is not “advancing funds.”  The rule further distinguishes a commercial lender making a loan from a business advancing funds and deferring payment for fees incurred while providing services to a client or customer—the former is a creditor, while the latter is not for purposes of the Red Flags Rule.

This interim rule confirms that most service providers are not subject to the Red Flags Rule.  However, any entity collecting consumer data must remain vigilant in how it collects, uses and safeguards that data.  The FTC may pursue enforcement actions under the FTC Act when companies do not take reasonable privacy protection measures scaled to the level of risk their privacy practices pose.  As such, it would be prudent for service providers to implement reasonable privacy practices, even if they fall outside the scope of the Red Flags Rule.

© 2014 McDermott Will & Emery

TRENDING LEGAL ANALYSIS


About this Author

Carla A. R. Hine, Antitrust Attorney, McDermott Will Law Firm
Partner

Carla A. R. Hine is a partner in the law firm of McDermott Will & Emery LLP and is based in the Firm’s Washington, D.C., office.  She focuses her practice on antitrust and consumer protection regulatory matters.

In her antitrust practice, Carla has significant experience counseling clients on matters relating to mergers and acquisitions, collaborations, and compliance with the Hart-Scott-Rodino (HSR) Act and international merger notification regimes.  She defends mergers and acquisitions before the U.S. antitrust agencies and international competition authorities...

202 756 8095
Partner

Heather Egan Sussman is a partner in the law firm of McDermott Will & Emery LLP and is based in the Firm’s Boston office.  She brings a practical, business-sense approach to solving workplace issues that helps clients efficiently and effectively manage every kind of HR and privacy-related risk.  Heather is Co-Chair of the Firm’s Global Data Privacy Affinity Group and a Certified Information Privacy Professional.

617-535-4177