FACTA’s “Red Flags” Rule May Apply to Law Firms
On March 20, 2009, the Federal Trade Commission published “Fighting Fraud With Red Flags Rule: A How-To Guide for Business.” This latest compliance guide stresses the breadth of the Red Flags Rule, echoing other commentary that the rule may affect many businesses, nonprofits, and professionals who are unaware that they fall within the scope envisioned by the enforcing agencies.
According to the guidance offered thus far by the FTC, it appears that most law firms will be subject to the rule. Your firm may, therefore, need to put a written identity theft prevention program in place if it has not already. At this point, there is no way of knowing how strictly the FTC will enforce the rule against the legal profession. Nevertheless, enforcement is scheduled to begin on August 1, 2009.
The rule is found in sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003 (FACTA), which Congress passed in part in response to the growing threat of identity theft. Briefly put, the rule requires “covered entities” to conduct a risk assessment to determine if they have “covered accounts.” If so, the entity must develop and implement a written identity theft prevention program to identify, detect, and respond to “red flags”—suspicious circumstances that indicate the risk of identity theft.
The FTC, jointly with the federal bank regulatory agencies and the National Credit Union Administration, issued its final rules and guidelines implementing the rule on November 9, 2007. The mandatory compliance date was November 1, 2008. However, due to the surprising scope of the rule—many entities indicated that they generally were not required to comply with FTC rules in other contexts and were not aware they fell under FACTA’s definition of creditor—the FTC suspended enforcement of the rule until May 1, 2009.
To add to the state of confusion regarding the future of this rule, the FTC then again delayed enforcement until August 1, 2009. FTC Chairman Jon Leibowitz released the following statement on April 30, 2009:
Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the [FTC] template in developing their programs, and give Congress time to consider the issue further.
Although the circumstances suggest that additional changes may come, they also, ironically, serve as a "red flag" of sorts to law firms, that they too may be covered by the Rule.
Who Must Comply
The rule applies to “financial institutions” and “creditors” with “covered accounts.” The definition of financial institutions, as would be expected, includes banks, credit unions, and savings and loan associations. It is the definition of creditor, though, that seems to encompass law firms, as well as numerous other nonfinancial entities that regularly bill their clients after services are rendered.
“Creditors” Under FACTA
According to the regulations, the term “creditor” in FACTA has the same meaning as in section 702 of the Equal Credit Opportunity Act (ECOA). The ECOA defines creditor as “any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.” Credit, in turn, is defined in the ECOA as “the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefore.”
Courts that have interpreted the ECOA have given an expansive meaning to these terms, which is in line with the FTC’s guidance for FACTA. In its publication “The ‘Red Flags’ Rule: What Health Care Providers Need to Know About Complying With New Requirements for Fighting Identity Theft,” the FTC expressed that “credit” is simply an arrangement by which “payment is made after the product was sold or the service was rendered.” In other words, the definition of creditor may encompass any invoice billing arrangement, including those often used by attorneys, physicians, manufacturers, and countless other businesses that do not require immediate payment for their products or services.
Further evidence that law firms may be “creditors” subject to the rule is found in a letter from the FTC to the American Medical Association, dated February 4, 2009. In that letter, the FTC cited the Federal Reserve Board’s position that the terms “creditor” and “credit” under the ECOA should be interpreted broadly to include all entities that defer payments, even in the normal course of the billing process. According to the Official Staff Commentary,
[i]f a service provider (such as a hospital, doctor, lawyer, or merchant) allows the client or customer to defer the payment of a bill, this deferral of a debt is credit for purposes of the regulation, even though there is no finance charge and no agreement for payment in installments.
Also noteworthy is that the FTC has issued a general warning to those entities that do not typically consider themselves to be creditors that they may be covered. It recently stated:
It’s important to look closely at how the Rule defines “financial institution” and “creditor” because the terms apply to groups that might not typically use those words to describe themselves. For example, many non-profit and government agencies are “creditors” under the Rule. The determination of whether your business or organization is covered by the Red Flags Rule isn’t based on your industry or sector, but rather on whether your activities fall within the relevant definitions.
The FTC has already concluded that “[h]ealth care providers are creditors if they bill consumers after their services are completed.” Taken to its logical end, any entity that does not require immediate payment for goods or services could be considered a “creditor.”
Creditors that have “covered accounts” are required to develop and implement a written identity theft prevention program. There are two types of covered accounts: (1) an account . . . primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions; and (2) any other account . . . for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft.
The first type of covered account is a consumer account. Examples include “a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account.” The FTC has stated that, for healthcare providers, this type of account includes continuing relationships with consumers for the provision of medical services. It stands to reason, then, that covered accounts may also include continuing relationships with individual clients for the provision of legal services.
The final rules and regulations note that many industry commenters requested that the agencies limit the final rules to consumer accounts, where identity theft is most likely to occur. However, the agencies decided to maintain the second type of covered account as well. The regulations state that this “reflects the Agencies’ belief that other types of accounts, such as small business accounts or sole proprietorship accounts, may be vulnerable to identity theft.” Therefore, covered accounts likely include your firm’s business client accounts.
The Scope of FACTA Compared to the Gramm-Leach-Bliley Act
The American Bar Association (ABA) requested an exemption for attorneys from the requirements of GLBA. When the FTC refused to grant the exemption, the ABA and the New York State Bar Association filed suit against the FTC seeking a declaratory judgment that would effectively exempt attorneys from the act. The court ultimately held that attorneys were not financial institutions under the definition of GLBA. Therefore, despite the initial jeopardy of application to practicing attorneys and the attempt at enforcement, attorneys did not have to comply with the act.
It is important that you not mistake the successful deflection of GLBA from the legal profession with a likelihood that the Red Flags Rule will also not be applicable to, or enforced against, attorneys. There are significant differences in the scope of the two acts. These differences suggest that, if the FTC attempts to enforce the Red Flags Rule against law firms, it will be more successful than its efforts were with GLBA.
For starters, GLBA only applies to “financial institutions.” At the time GLBA became effective, there was considerable debate as to whether attorneys engaged in “financial activities,” with the FTC citing tax and estate planning work as examples. The Red Flags Rule is clearly broader, applying to both financial institutions and creditors. Under FACTA, the definition of “creditor” is more likely to encompass law firms than the definition of “financial institutions” under GLBA.
GLBA’s applicability is further limited in that it only protects “consumers.” Business entities derive no protection from the act. By contrast, the Red Flags Rule is designed to protect both consumers and businesses. This draws a far greater number of law firm accounts within the ambit of FACTA. Taken together, these distinctions in scope between the acts indicate that the Red Flags Rule may be more applicable to law firms than GLBA.
How to Comply
A creditor with covered accounts must implement a written identity theft prevention program. The FTC has made clear that a low-risk entity, based on its initial risk assessment, can have a simple and straightforward program. Creditors are given flexibility to implement a program that best suits their business or organization and may incorporate into the program any of their existing procedures to combat identity theft. Nonetheless, a written program that has been approved by the board of directors, a designated committee, or an appropriate senior employee must be in place.
Each program must include policies and procedures to (1) identify the red flags of identity theft that that particular entity is most likely to come across in its business; (2) detect those red flags in its day-to-day operations; (3) respond appropriately to any detected red flags to prevent and mitigate identity theft; and (4) update the program periodically to account for new and changing risks of identity theft.
Appendix J of the agency guidelines lists 26 examples of possible red flags. As attorneys, the receipt of suspicious documents that appear to be altered or forged or dubious personal identifying information from clients or potential clients would likely be the most common red flags. Of course, notice from a client that he did not receive particular legal services that he was billed for, or notice from a client that he or she may be the victim of identity theft, are also clear red flags.
If an attorney or employee encounters a red flag, oftentimes the most appropriate response is to simply notify the client of the issue and perhaps request additional identifying information. The FTC has indicated that covered entities may, in their discretion, determine that no response is necessary. However, certain circumstances may indicate the need for a more aggressive response, such as carefully monitoring account activity, denying a request to open a new account or closing an existing account, or even contacting law enforcement.
Once the program is approved, it is then the responsibility of the covered entity to effectively administer and oversee the program. This should include training employees to recognize red flags, notifying service providers who may receive access to covered accounts—such as system administrators—that their activity must comply with an identity theft prevention program, and periodically reviewing the success of the program.
Take Action, Attorneys and Clients
Although many of us have taken steps to help our clients comply with the Red Flags Rule, our firms may need to take some of their own steps as well. Columbus, Ohio attorney Jack Gravelle was one of the first to recognize this in his article “Lawyers rush to advise on new identity theft rules,” which appeared in LawyersUSA. He opined that, “[t]o the extent that firms extend credit by billing clients rather than accepting payment at the time of service, they appear to fall under the definition [of creditor].”
Many others have chimed in through blog posts and bar association articles that attorneys may need to implement their own identity theft prevention program. The enforcement date has come and gone, and so attorneys should now consider addressing any risks to identity theft that may exist in their own practice.
J. Joseph McCoy is an associate with Holmstrom & Kennedy, P.C. in Rockford, Illinois. He specializes in intellectual property and business law and can be reached at firstname.lastname@example.org.
© Copyright 2009, American Bar Association.