Unfurling a new definition of "creditor" under the Red Flags Rule

Share This Page

Curious about the Red Flags Rule, an identity theft prevention measure first issued in 2007?  The FTC has announced a new Interim Final Rule that narrows the circumstances when a creditor is covered.  Are you and your clients up on the latest?

A little history first.  As part of changes to the Fair Credit Reporting Act, Congress directed the FTC and the banking agencies to issue joint rules and guidelines requiring “financial institutions” and “creditors” to put written programs in place to identify, detect, and respond to possible identity theft risks relevant to their businesses.  The rationale behind the rule?  By identifying in advance potential signs — “red flags” — that identity theft is afoot, businesses will be in a better position to spot suspicious patterns at an early stage and prevent them from escalating into costly episodes of ID theft.

Based on existing definitions in a related law, the rule defined the term “creditor” broadly.  In 2010, Congress passed the Red Flag Program Clarification Act, which narrowed the scope of who’s considered a “creditor” under the Red Flags Rule.  To be consistent with the new law, the FTC has amended the Red Flags Rule to say that a creditor is covered only if, in the ordinary course of business, it regularly:

  • gets or uses consumer reports in connection with a credit transaction;

  • furnishes information to consumer reporting agencies in connection with a credit transaction; or

  • advances money to or on behalf of a person.

That third provision has some additional caveats, so you’ll want to take a look at the Interim Final Rule for the specifics.

Is someone you know trying to get back on track after an incident of ID theft?   Do them a favor and tell them about new resources from the FTC, including a video with step-by-step rapid response tips.  Do yourself a favor and add a just-in-case bookmark.



I am just made aware of this new provision by Congress. I will incorporate it as a directive in my business. Thank you for highlighting this.

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.