Red Flag Rules Effective

January 5, 2010 By Jane Hils Shea

The Congress has enacted the Red Flag Program Clarification Act of 2010 (S.3987). The Senate passed the bill unanimously on November 30, 2010, and the House passed the bill on December 7, 2010. President Obama signed the bill into law on December 31, 2010.  As a result, the long delayed effective date of the Red Flag Rules has arrived. As of January 1, 2011, creditors are required to be in compliance.

As we have previously communicated in earlier client advisories, the federal banking regulators and the Federal Trade Commission jointly issued the Identity Theft Red Flag Guidelines in order to implement provisions of the Fair and Accurate Credit Transactions (FACT) Act, originally enacted in 2003. The Guidelines apply to financial institutions and other creditors which maintain consumer accounts, and require them to adopt and maintain a written Identity Theft Prevention Program. Organizations subject to regulation by the FTC were originally required to have adopted and implemented a program by May 1, 2009. Service providers such as physicians and attorneys at first asked for an extension on the basis that they were caught unaware, and then further protested that the law was incorrectly applied to them and imposed an undue burden in relation to the incidence of identity theft. In response to these protests and objections by the service providers who advanced credit incidental to their services, the FTC has repeatedly delayed the effective date while Congress considered the issue. The FTC's last delay was to January 1, 2011, unless Congress acted before that date.

The Act amends the Fair Credit Reporting Act to exempt attorneys and some businesses from some of the requirements of the FACT Act, including the requirement that they adopt and maintain an Identity Theft Red Flag Program. Specifically, it amends the definition of "creditor" to mean any creditor that (i) in the ordinary course of business obtains or uses credit reports in connection with a credit transaction, (ii) furnishes information to a credit reporting agency in connection with a credit transaction, or (iii) advances funds to a person on the obligation of repayment. Persons who advance funds for expenses incidental to services provided by that person are expressly exempted.

For more information regarding the Red Flags Rule, click here to see Frost Brown Todd's March 24, 2009 Legal Update.  If you need assistance with your Identity Theft Prevention Program, please contact Jane Hils Shea or any other attorney in Frost Brown Todd's Privacy and Information Security or Health Law Practice Groups for assistance