Curious about the Red Flags Rule, an identity theft prevention measure first issued in 2007? The FTC has announced a new Interim Final Rule that narrows the circumstances when a creditor is covered. Are you and your clients up on the latest?
A little history first. As part of changes to the Fair Credit Reporting Act, Congress directed the FTC and the banking agencies to issue joint rules and guidelines requiring “financial institutions” and “creditors” to put written programs in place to identify, detect, and respond to possible identity theft risks relevant to their businesses. The rationale behind the rule? By identifying in advance potential signs — “red flags” — that identity theft is afoot, businesses will be in a better position to spot suspicious patterns at an early stage and prevent them from escalating into costly episodes of ID theft.
Based on existing definitions in a related law, the rule defined the term “creditor” broadly. In 2010, Congress passed the Red Flag Program Clarification Act, which narrowed the scope of who’s considered a “creditor” under the Red Flags Rule. To be consistent with the new law, the FTC has amended the Red Flags Rule to say that a creditor is covered only if, in the ordinary course of business, it regularly:
- gets or uses consumer reports in connection with a credit transaction;
- furnishes information to consumer reporting agencies in connection with a credit transaction; or
- advances money to or on behalf of a person.
That third provision has some additional caveats, so you’ll want to take a look at the Interim Final Rule for the specifics.
Is someone you know trying to get back on track after an incident of ID theft? Do them a favor and tell them about new resources from the FTC, including a video with step-by-step rapid response tips. Do yourself a favor and add a just-in-case bookmark.