Congress, FTC Restrict Definition of “Creditors” who must Adopt a Formal Plan to Prevent, Detect ID Theft

In journalism, the adage goes, “man bites dog” is news. The regulatory equivalent should be “government amends Rule to make it narrower.” Yet that is what the Congress and the FTC have done to the definition of “creditors” that are required to approve and implement a “Plan” to prevent, or at least detect and ameliorate, incidents of identity theft, one of the most frustrating violations of personal privacy that unlucky consumers must confront.  See 77 F.R. 72715 (December 6, 2012).

And it all makes good sense. Over the last decade, ID theft has become a major problem. In 2007, Congress addressed it by adding to the Fair Credit Reporting Act a section requiring that certain businesses, including “creditors,” adopt a Plan to prevent and detect instances of identity theft. Using federal guidelines, each covered party had to create a plan that was tailored to its unique business and circumstances.

There was a studied effort to avoid “one size fits all” regulatory requirements. In issuing its final Rule and follow-up guidance, the FTC made clear that it would judge plans in a flexible manner, looking to ensure that the business had made a bona fide effort to identify the elements of it process that could increase the risk of ID theft.

In the original Act and, similarly, in the FTC’s implementing Rule, the definition of “creditor” was based on the very broad definition of the term in the Equal Credit Opportunity Act (“ECOA”). Even under the Fair Credit Reporting Act (“FCRA”) that contained the Red Flag requirements, the term “credit” was not defined but had been construed very broadly by courts over a long period of time.

There was a good policy reason for these broad definitions. In determining when discrimination should be prohibited (ECOA) or when consumers should get disclosures to make sure that adverse credit actions were based on accurate facts (FCRA), one should not constrict the scope of those rights. At the same time, those definitions bring into play many creditors for whom the risk of involvement in identity theft is very low. For example, a neighborhood store that takes checks is much less likely than a credit card issuer to run into such problems, but depending on circumstances, both could be covered by the Red Flags Rule.

Congress limited the statutory definition of “creditor” to include 3 tests for Red Flags purposes: “creditors that regularly and in the ordinary course of business engage in at least one of the following three types of conduct:

1. Obtain or use consumer reports, directly or indirectly, in connection with a credit transaction; or
2. Furnish information to consumer reporting agencies in connection with a credit transaction; or
3. Advance funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person.” (Footnotes omitted).

These may not be the only criteria Congress could have chosen, but they do comprise the most likely sources of ID theft issues. To add flexibility, the Congress authorized the FTC to supplement the Rule with other criteria for “creditor” that would serve the same policy purposes.

In announcing the amendments to the Red Flags Rule, the FTC did not first seek public comment, noting that the changes were purely ministerial to conform its Rule to the amended definition in the Act. The FTC announced it was not proposing additional criteria for covered “creditors” at this time.

Even companies that benefit from the streamlined definition should not discontinue their efforts to combat ID theft. Even if they do not want to prepare a formal plan approved by the Board of Directors and implemented at a high level in the company, protecting its customers from ID theft is good business. What responsible company would ignore indicators of possible ID theft (red flags) or not try to halt an incipient breakout, just as they would try to avoid data breaches through improved security?

Such flare-ups can be expensive and lead to legal liability beyond the FTC’s Red Flags Rule. Still, the government’s actions cut back on the need for universal formulaic compliance and are a sensible step in the war against ID theft.