LifeLock Blog

The Red Flag Laws that took effect on Jan. 1, 2008, where supposed to require businesses that handle credit to adopt written plans to identify, detect, monitor and respond to potential instances of identity theft. The enforcement deadline was set for a reasonable Nov.1, 2008, but the FTC as postponed the enforcement several times to allow business time to comply.

The first time the laws were delayed was to May 1, 2009. Then the FTC backed it up to August 1, 2009, and then Nov. 1, 2009, and then again to June 1, 2010 ,and then finally Jan. 1, 2011 were the FTC says it will finally be enforced.

One of the reasons for the delays were because of several groups petitioning the FTC for more time to comply. Other delays were because of several members of congress trying to narrow the scope of the law.

Several professions have already worked their way out of the Red Flag Laws including lawyers, health care providers, and physicians. Also under the new clarification act any businesses that allows deferred payments for expenses incidental to a service is now not considered to be a creditor and is exempt from the Red Flag laws as well. So it seems there’s not a whole lot of businesses left to comply mainly car dealerships from what I have read.  Oh well, at least they aren’t going to move the deadline back again it was starting to get ridiculous.

who are the red flag laws for anyway? I know the regulation says creditors and that was supposed to include health care providers, attorneys, doctors, hospitals, and anyone who allows people to deffer payments. I’m sure they meant to include them in the regulations to make their professions less likely to be used and abused by identity thieves. It seems the attorneys and health care providers as well as other who  permit payment to be deferred have been left off the hook.  Pending litigation by the American Medical Association and other physician organizations has all but gotten them exempt as well. So who are these laws for anyway?

What follows is the new clarification as to what a creditor means.

SECTION 1. SHORT TITLE.

This Act may be cited as the `Red Flag Program Clarification Act of 2010′.

SEC. 2. SCOPE OF CERTAIN CREDITOR REQUIREMENTS.

(a) Amendment to FCRA- Section 615(e) of the Fair Credit Reporting Act (15 U.S.C. 1681m(e)) is amended by adding at the end the following:

`(4) DEFINITIONS- As used in this subsection, the term `creditor’–

`(A) means a creditor, as defined in section 702 of the Equal Credit Opportunity Act (15 U.S.C. 1691a), that regularly and in the ordinary course of business–

`(i) obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction;

`(ii) furnishes information to consumer reporting agencies, as described in section 623, in connection with a credit transaction; or

`(iii) advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person;

`(B) does not include a creditor described in subparagraph (A)(iii) that advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person; and

`(C) includes any other type of creditor, as defined in that section 702, as the agency described in paragraph (1) having authority over that creditor may determine appropriate by rule promulgated by that agency, based on a determination that such creditor offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft.’

(b) Effective Date- The amendment made by this section shall become effective on the date of enactment of this Act.

Confused? Yeah so am I, not sure what all that says but it seems no one except for people who most likely already have identity theft detection programs active have to follow these rules. These Red Flag laws started out as a great idea, but now they a simply a job that can be fixed simply by complaining enough about them.

The Federal Trade Commission has rejected the request to exempt physicians and other health care professionals from the FTC Red Flag, identity theft prevention, laws. It seems the U.S. District Court for the District of Columbia found that the FTC exceeded its authority in enforcing it’s Red Flag laws against attorneys and layers. So I guess the AMA, American Medical Association, thought they would take a stab at trying to get themselves exempt as well. Their first attempt has been rejected.

This does not come as a surprise, the FTC is still trying to appeal the decision brought by the American bar Assn, so it doesn’t makes sense that they would just let the medical professionals off the hook. I understand that these businesses don’t want to implement identity theft programs, like the rules regulate, but it would be for the benefit of their customers.

The Red Flags laws have been delayed several times and it seems that they could be delayed much longer if the lawsuits don’t clear up. It seems the AMA is trying to prevent the FTC from enforcing the regulations until the ABA litigation is resolved. Who knows how long that could take?

I think the Red Flag laws are a good thing and bring some responsibility to creditors. If they are going to lend people money be it a banks, medical, or lawyers they should take the time to unsure they are charging the right person. I think the the Red Flag laws will be most helpful in the medical field due to the large number of medical identity thefts that happen.



The FTC has one again extended the deadline for the Red Flag Rules. This is the fourth time it has been extended, the original deadline date being November 1, 2008. Companies outside of the financial sector have revived three other extensions the last one being November 1, 2009, which was yesterday. Seems the FTC has decided businesses need more time to comply and have extended the deadline again to June 1, 2010.

For those of you who don’t know what the Red Flag Rules are they where setup to force banks and creditors to implement written and identity theft prevention programs. The programs should be designed to identify, detect, and respond to any identity theft problems. If a program is implemented properly the businesses should be better at identifying identity theft threats to their customers and should be better equipped to resolve and preventing the identity theft.

So why is the FTC giving businesses so much time to comply with the new rules. Well I don’t know, maybe they are not prepared to punish or reprimand businesses that have not complied yet. Maybe they feel with each new deadline more and more businesses are complying and that’s what they wanted in the first place.

It is very important that these businesses take some responsibility in preventing identity theft. I feel that businesses have been some what apathetic to the situation relying on insurance companies and FDIC to cover loses. Even if the business isn’t worried about the loses they might incur they should care enough about their customers to protect them from any and all losses.

Looks like employing the classic legal strategy of delaying the case has paid off for the American Bar Association—at least for the time being. A federal judge today determined that lawyers should be exempted from the Red Flag Rules intended to curb identity theft.

The Red Flag Rules go into effect this weekend for all businesses that fall under the Federal Trade Commission’s definition of creditor. Essentially, the FTC considers any business that provides services before payment is rendered or allows customers, clients or patients to make payments on their bills to be a creditor.

Federal Judge Reggie Walton said he disagreed with that definition, and that the definition was so broad that a plumber who worked on a toilet for two days before billing the customer would be considered a creditor. (more…)