Professional service providers such as attorneys, accountants, and doctors no longer fall within the definition of a creditor under the Red Flag Rule.
The Federal Trade Commission’s (FTC) so-called “Red Flag Rule,” which requires all businesses that are potential identity-theft targets to develop plans to spot red flags and prevent theft, received much criticism for being too broad. But now there’s some relief: S. 3987, the Red Flag Clarification Act, which President Obama signed into law in December 2010.
To recap, under the Red Flag Rule, the FTC had been interpreting “creditor” broadly by including organizations that defer payment for goods or services and bill clients later. This led to widespread concern that the Red Flag Rule would be applicable to entities not typically thought of as creditors, including law firms and health care providers.
The Red Flag Clarification Act exempts such entities by revising the definition of creditor to exclude creditors “that advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.”
Essentially, the Red Flag Clarification Act limits the scope of the Red Flag Rule to creditors that regularly and in the ordinary course of business obtain or use consumer reports in connection with a credit transaction; furnish information to consumer reporting agencies in connection with a credit transaction; or advance funds to a person based on the person’s obligation to repay the funds.
The legislation does include a provision that would allow other types of creditors to be subject to the Red Flag Rule if the agency with authority over the creditor (such as federal banking agencies) determines that the creditor has accounts that are subject to a reasonably foreseeable risk of identity theft.