On November 30, 2012, the Federal Trade Commission (FTC) issued an interim final rule related to its identity theft “Red Flags Rule”1 that amends the regulatory definition of “creditor” to make it consistent with the revised definition adopted by Congress in the Red Flags Program Clarification Act of 2010 (the “Clarification Act”). The interim final rule takes effect on February 11, 2013. Public comments on the interim final rule will be accepted by the FTC until this date.
The Clarification Act narrows the applicability of the Red Flags Rule to creditors (as defined in the Equal Opportunity Act) that regularly and in the ordinary course of business engage in at least one of the following three types of conduct:
- Obtain or use consumer reports, directly or indirectly, in connection with a credit transaction;
- Furnish information to consumer reporting agencies in connection with a credit transaction; or
- Advance funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person.
Importantly for non-bank, short-term consumer lenders, the FTC was clear that the third type of conduct was specifically drafted to ensure that certain lenders—such as payday lenders and automobile title lenders, which may not obtain, use or furnish consumer reports in the ordinary course of business but which lend money to consumers—are included in the definition of “creditor” for purposes of the Red Flags Rule, given that such loans are “attractive targets for identity thieves.”
Based on Congress’s amended definition of “creditor” in the Clarification Act and the FTC’s proposed rule implementing such definition, nearly all non-bank, short-term consumer lenders will be deemed creditors under the Red Flags Rule, even if they do not pull a consumer report because of actions relating to “advancing funds” to a consumer in connection with that consumer’s obligation to repay.
Pursuant to the Red Flag Rule, however, determining whether an entity is a creditor is only the first step in determining whether compliance is required. The second step requires an analysis of whether a creditor offers “covered accounts,” which include either:
- Accounts offered primarily for personal, family or household use that involve or are designed to permit multiple payments or transactions (such as lines of credit or consumer installment loans); or
- Any other account a creditor offers or maintains for which there is a reasonable foreseeable risk to customers or to the safety and soundness of the creditor from identity theft, including financial, operational, compliance, reputation or litigation risks.2
Nearly all of the non-bank, short-term consumer lenders to which we provide legal services will be required to implement a Red Flags Program (if such a program is not already in place) as a result of this interim final rule. A compliant Red Flags Program consists of the following components:
- The program must include reasonable policies and procedures to identify signs—or “red flags”—of ordinary theft in the day-to-day operations of the business;
- The program must be designed to detect the red flags or identity theft identified by the business;
- The program must set out the actions the business will take upon detecting red flags; and
- The business must reevaluate its program periodically to reflect new risks from this crime.
1 The Red Flags Rule, as promulgated by the FTC, can be found at 16 C.F.R. Part 681. Note that, according to the FTC, the rationale behind the Red Flags Rule is that early identification of potential identity theft allows businesses to be in a better position to “spot suspicious patterns” at an early stage and prevent them from “escalating into costly episodes of ID theft.” (FTC press release, “FTC Issues Amended Rule on Identity Theft ‘Red Flags,’” November 30, 2012.) For more information on the FTC and its interpretations related to the Red Flags Rule, see http://www.business.ftc.gov/blog.
2 FTC FAQ, “Fighting Fraud with the Red Flags Rule,” http://www.ftc.gov/bcp/edu/microsites/redflagsrule/faqs.shtm.