Insights

On May 28, 2010, the Federal Trade Commission announced that it would delay enforcement of its Red Flags Rule until January 1, 2011. This was the fifth time in three years that the FTC has delayed enforcement. In fact, although the FTC and the federal banking agencies announced their Red Flags Rules in 2007, the FTC has never begun to enforce its Rule. The FTC’s experiences in trying to draft and enforce a workable rule provide an interesting glimpse into the intersection between legislation and regulation. In fact, all three branches of federal government are involved in this real-life civics lesson.

The FTC’s Red Flags roller coaster began in 2003, when Congress passed the Fair and Accurate Credit Transactions Act. One element of the FACT Act amended the Fair Credit Reporting Act to require the FTC and the federal banking agencies to adopt rules requiring “creditors” and “financial institutions” to develop Identity Theft Prevention Programs.

Because Congress built this new provision into the FCRA, that Act’s definitions of “creditor” and “financial institution” established the scope of the Red Flags Rules. Any entity that satisfied the FCRA’s “creditor” definition would be subject to the agencies’ new Rules. The FCRA’s “creditor” definition merely points to the Equal Credit Opportunity Act’s definition of that term. Not only does the ECOA define “creditor,” but its implementing regulation, known as Regulation B, also defines it. Naturally, the definitions in the ECOA and Regulation B are not the same.

The ECOA’s “creditor” definition is very broad, perhaps because that Act is an anti-discrimination law and Congress intended it to have a widespread application. It covers “any person who regularly extends, renews, or continues credit.” “Credit” includes the right “to purchase property or services and defer payment therefor.”

When the agencies published their final Red Flags Rules in November 2007, they included explanations of various elements of their Rules to promote compliance. Their discussion of the Rules’ “creditor” definition is very short, and it indicates that the agencies believed that they lacked authority to tinker with the ECOA’s “creditor” definition in the context of the Red Flags Rules. As a result, according to the FTC’s position, any business that permits customers to buy now and pay later is a “creditor” now obligated to develop an Identity Theft Prevention Program.

For the federal banking agencies, this issue did not create controversy. Entities subject to the jurisdiction of those agencies have always known who they are, and the Red Flags Rules did not change that. For the banking agencies, the Red Flags Rules took effect on November 1, 2008, as promised in the Rules announced the year before.

The FTC, however, has faced a much bumpier road. Days before the original effective date in 2008, the FTC announced the first delay to give covered businesses more time to comply. The Commission had been hearing that entire industries had not yet begun compliance efforts because they did not think the Rule applied to them.

Roughly every six months since then, the FTC has announced another enforcement delay. Over time, the FTC’s justification for these delays has evolved. First, the Commission needed time to make sure that all covered businesses knew they were covered. Next, the Commission explained that it needed time to publish compliance guidance before it began enforcing the Rule. Finally, the Commission needed to face the fact that federal courts were expressing skepticism regarding the scope of the Rule and its “creditor” definition.

As the FTC’s enforcement delays persisted, several industries got more actively involved in the issue of the Rule’s “creditor” definition. In the summer of 2009, an association of accountants asked the FTC to exempt Certified Public Accountants from the Rule. The association explained that there was no reasonable risk of identity theft associated with accountants, and that this industry already imposed strict privacy requirements. In short, the accountants asserted that the burdens of complying with the Red Flags Rule outweighed the benefits of the Rule.

In that same time frame, the American Bar Association sued the FTC in federal court to stop the application of the Red Flags Rule to attorneys. The ABA also argued that the costs of the Rule outweighed the benefits, that the FTC was improperly exceeding its authority in imposing the Rule on attorneys, and that the FTC’s interpretation of the Rule’s scope was arbitrary and capricious.

A federal district court agreed with the ABA and blocked application of the Rule to attorneys. The court explained that the FTC was wrong to take the position that Congress intended the Rule to apply to attorneys. The court looked beyond the plain text of the ECOA’s “creditor” definition to reach the conclusion that Congress did not intend to impose the Red Flags Rule on every entity that might satisfy that definition. Rather, the court found that it made more sense to limit the Rule to those businesses that were in the position to stop the specific harm of identity theft that the Rule was intended to address. The FTC has pledged to appeal the district court’s decision, but it has not yet done so.

More recently, on May 21, 2010, the American Medical Association filed a similar case against the FTC in the same court that is hearing the ABA’s challenge to the Red Flags Rule. Relying on the ABA’s complaint and the court’s ruling in that case, the AMA asserts that applying the Rule to the medical industry would constitute an improper abuse of authority and that Congress could not possibly have intended the result pursued by the FTC.

Even before the results in court began to turn against the FTC, it appears that the Commission and Congress recognized that they had a problem on their hands. In October 2009, the House of Representatives passed a bill to create new exclusions from the Red Flags Rule by amending the FCRA’s “creditor” definition. These exclusions would have reached accounting practices, legal practices, health care practices, and others, if the practice had 20 or fewer employees. This bill would also have created a case-by-case process for requesting an exclusion from the Red Flags Rule for businesses that did not qualify for the bill’s small-business exclusion. The Senate never acted on this legislation.

The FTC’s most recent enforcement delay announcement indicates that the Commission is hoping that Congress will fix this problem so that the FTC can begin enforcing the Rule. The FTC’s Chairman is quoted in the announcement stating that the broad application of the Rule is an “unintended consequence” that only Congress can fix. In the meantime, the FTC has delayed enforcement of its Red Flags Rule until 2011, although it pledges to begin enforcement sooner if Congress passes a fix with a 2010 effective date.

Throughout this string of enforcement delays, the FTC has always pointed out that the federal banking agencies continue to enforce their Red Flags Rules and that the FTC’s other identity theft rules – a rule regarding address discrepancies applicable to users of consumer reports and a rule regarding changes of address applicable to card issuers – took effect on November 1, 2008, as scheduled.

Michael A. Goodman is a partner in the Washington, D.C., office of Hudson Cook, LLP. Basis Points readers can reach Mike at 202.327.9704 or by email at mgoodman@hudco.com.