The Last Piece of the Red Flags Puzzle: FTC Issues Revised Red Flags Guidance

By William T. Koustas –

The Federal Trade Commission (“FTC”) has just released a revised guidance on its Red Flags Rule (“the Rule”) based on the amended Rule issued late last year in an effort to comply with the Red Flag Program Clarification Act of 2010 (“Clarification Act”). 

As we have previously reported (see, e.g., here), the Fair and Accurate Credit Transactions Act of 2003 (“FACT Act”) directed the FTC to promulgate regulations requiring creditors to enact procedures to prevent identity theft.  In 2007, the FTC adopted regulations that required creditors to implement these procedures.  However, in April 2009, the FTC issued a document explaining that the Rule applied to a variety of professions, including attorneys and healthcare providers, because they bill their clients after services are rendered, thus, according to the FTC, extending credit. 

In light of this overly broad interpretation, many professional organizations, including the American Medical Association and the American Bar Association, lobbied Congress for changes to the FACT Act.  The American Bar Association even prevailed in a lawsuit against the FTC to enjoin enforcement of the Rule.  Congress eventually enacted the Clarification Act that amended the definition of the term “creditor” in the FACT Act to exempt attorneys and other professionals who bill their clients for services rendered and the FTC issued an interim final rule to the same effect in November 2012.

Now, the last piece of this puzzle falls into place.  On June 12, 2013, the FTC announced a revised guidance that incorporates the changes from the Clarification Act and the interim final rule.  This guidance now clearly states that professionals that bill clients at the end of the month or pay for fees or materials incidental to providing services (e.g., filing fees) are not subject to the Rule. 

However, this document does not appear to change the legal obligations of entities regulated under the Rule.  Such entities are still required to create and implement a program that includes reasonable policies and procedures to identify red flags of potential identify theft, detect those red flags, prevent and mitigate identity theft when detected, and update the program periodically to reflect new red flags that emerge.

According to the FTC, this nearly six year journey with the Red Flags Rule has (probably) come to an end.