At the request of several members of Congress, the Federal Trade Commission (FTC) has extended the compliance deadline for the Red Flags rule from June 1 through December 31, 2010, while lawmakers consider legislation that would affect the scope of entities covered by the rule.
The Red Flags rule was developed under the Fair and Accurate Credit Transactions Act (FACTA), in which Congress directed the FTC and other agencies to develop regulations requiring creditors and financial institutions with covered accounts to develop written programs to assist in identifying potential identity thefts.
“Congress needs to fix the unintended consequences of the legislation establishing the Red Flags rule – and to fix this problem quickly,” said FTC Chairman Jon Leibowitz. “As an agency we’re charged with enforcing the law, and endless extensions delay enforcement.”
The rule became effective January 1, 2008, but the FTC has granted a series of delays at the request of members of Congress.
The definition of creditor is broad, and includes businesses that provide goods or services first and allow customers to pay later. Groups that could fall into this category include health care providers, lawyers and accountants and other professionals, and telecommunications companies. It could also include groups like mortgage brokers and automobile dealers that regularly offer financing.
Covered accounts are defined by the FTC as either:
- Consumer accounts designed to permit multiple payments or transactions, or
- Any other account that presents a reasonably foreseeable risk from identity theft
Organizations representing professionals’ groups have sued the FTC during the past year, arguing on various grounds that the rule should not apply to them. The American Medical Association (AMA), the American Bar Association (ABA) and the American Institute of Public Accountants (AICPA) all have brought legal action against the FTC on the Red Flags rule.
In the most recent suit, filed by the AMA, the American Osteopathic Association, and the Medical Society of the District of Columbia on May 21, the groups argued that the FTC will require them to start verifying their patients' true identities before they agree to treat them.
"The worst part is, I think, from a strictly ethical point of view, that you have to approach every new patient with suspicion about their identity," said AMA spokesman Robert Mills, according to healthleadersmedia.com. "That violates every precept of the physician-patient relationship; the FTC is asking doctors to violate their role as trusted healer and counselor."
In August 2009, in a suit brought by the ABA, the U.S. District Court for the District of Columbia barred the FTC from applying its Red Flags rule to lawyers.
“This ruling is an important victory for American lawyers and the clients we serve,” ABA President Carolyn B. Lamm said in a written statement, wisbar.org reported. “The court recognized that the Federal Trade Commission’s interpretation of the Fair and Accurate Credit Transactions Act (FACTA) over-reaches and its application to lawyers is unreasonable.”
The FTC in February said it would appeal the decision. The appeal is currently pending.
The AICPA’s suit, filed on behalf of its members on November 10, 1009, asserted in part that the FTC exceeded its statutory authority by extending the rule to regulate accountants and public accounting firms. The AICPA said that “it did not believe there is any reasonably foreseeable risk of identity theft when CPA clients are billed for services rendered.”
That suit is now linked to the outcome of the appeal of the ABA ruling. AICPA members in public accounting have been granted a 90-day grace period – a 90-day delay of enforcement of the rule – from the date on which the U.S. Court of Appeals for the District of Columbia Circuit renders an opinion in the ABA’s case against the FTC, the AICPA reported in a CPA Letter.