Update on Application of the Red Flags Rule in Light of the Statutory Clarification
The Red Flag Program Clarification Act (Clarification Act), 15 U.S.C. 1681m(e)(4), generally limits the application of the Red Flags Rule to creditors that regularly and in the ordinary course of business engage in at least one of the following three types of conduct:
- Obtain or use consumer reports, directly or indirectly (even if the report is not directly obtained by the creditor and even if the creditor uses a service provider to make the credit determination), in connection with a credit transaction;
- Furnish information to consumer reporting agencies in connection with a credit transaction; or
- Advance funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person. “Advancing funds” does not include “payment in advance for fees, materials, or services that are incidental to the creditor’s ability to provide another service that a person initiated or requested” (e.g., a lawyer advances fund to pay an expert witness or other expenses that are part of providing the legal services the client has requested).
The Clarification Act does not create any industry-wide exemptions: whether any particular entity is covered by the Red Flags Rule must be determined by that entity’s specific conduct. ‘‘Regularly and in the ordinary course of business,’’ according to the FTC, excludes isolated conduct.
While the Clarification Act empowers the FTC, banking agencies, CFTC, and SEC to determine through a future rulemaking whether to include any other type of creditor that offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft, the FTC at this time does not intend to use its discretionary rulemaking authority to extend coverage of the Red Flags Rule to additional creditors.
AHA News Now: FTC temporarily exempts physicians from 'Red Flags' rule (June 28, 2010)
AHA News Now: FTC again delays enforcement of Red Flags rule (May 28, 2010)
AHA News Now: Physician groups challenge Red Flags rule in court (May 24, 2010)
AHA News Now: FTC delays Red Flags enforcement until June (November 9, 2009)
AHA News Now: FTC further delays Red Flags Rule enforcement (July 29, 2009)
AHA News Now: FTC issues guidance on Red Flags rule (April 7, 2009)
FTC Resource: FIGHTING FRAUD WITH THE RED FLAGS RULE: A How-To Guide for Business (March 20, 2009)
FTC's Red Flags Rule: Understanding and Meeting Compliance Expectations (October 2008)
AHA News Now: Hospitals encouraged to prepare for Red Flags rule (10/24/08)
Sample Policy: Red Flags Identity Theft Prevention Program (10/24/08)
Order a recording of the AHA Solutions Conference Call: FTC's New Red Flag Regulations-Are You Ready? (10/23/08)
Red Flags Rule Member Conference Call (10/07/08)
AHA News: Compliance Deadline for FTC's Identity Theft Provision Fast Approaching (09/02/08)
Federal Register: Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003; Final Rule (11/09/07)
State Hospital Association Resources
Ohio Hospital Association's Red Flag Rules Hospital Compliance Guide
Produced in cooperation with the law firm of Bricker & Eckler, this set of tools to help hospitals develop a compliant identity theft prevention program in line with the Federal Trade Commission's (FTC’s) “Red Flag” Rules, including: a step-by-step compliance guide, guidelines for a written identity theft prevention program, a model written identity theft prevention policy, and additional forms.
How to subscribe: The complete compliance guide is priced at $1,000. You can get additional information, or subscribe with a credit card online at http://www.bricker.com/redflag. For other payment options, please contact Megan Heiser at 614.227.4941 or firstname.lastname@example.org.
FTC’s Identity Theft Resources