If you are confused about whether you, your company or your clients are subject to federal identity theft regulations, you are not alone. When the Federal Trade Commission (FTC) announced on October 22, 2008 that they were delaying enforcement of the new Red Flags regulations by six months, until May 1, 2009 (which we reported here and here), the FTC admitted that the primary reason for the delay was that many businesses, even whole industries, were “confused” about whether they are governed by the new regulations. (See the FTC’s October 2008 release and Enforcement Policy statement.)
For some industries, this is less a point of confusion and more of a fundamental difference in opinion over whether the federal regulations apply to them at all. For many traditional financial institutions, like banks and credit card companies, there is no dispute because there are specific Red Flags regulations directed at them. See, e.g., 12 C.F.R. Pars 334 & 364. For most other industries, the legal issue at the heart of the matter is whether one can be considered a “creditor” under the general purpose Red Flags regulations, 16 C.F.R. Part 681, and the operative federal statute, the Fair and Accurate Credit Transaction Act of 2003 (FACT Act or FACTA).
The FTC claims that the term “creditor” applies to any business or entity that allows customers to pay for goods or services after they have been delivered and is has made clear that it intends to enforce the regulations broadly. For example, see the FTC’s October 2008 Enforcement Policy. According to the FTC, virtually anyone that bills its customers is a “creditor” subject to the Red Flags regulations. This means utility companies are covered entities (see the comments to the November 2007 Final Rules [.pdf]), but also consultants, lawyers, doctors, dentists and everyone who gets a check in the mail. The FTC’s construction is so broad, it seems to encompass someone selling an autographed baseball card on eBay who only gets paid after delivery, as well as an employee who receives a paycheck every two weeks in exchange for services rendered. I'll wager that most of us who receive paychecks did not know that somewhere along the line we have become creditors subject to the Red Flags regulations as well as the federal laws governing lending practices.
The real problem with the FTC's interpretation is that it does not seem to bear legal scrutiny. If everyone is a "creditor", then everyone is subject a host of legal requirements that are primarily enforced against traditional lending institutions. Because of this FTC's broad interpretation of “creditor” would severely expand federal lending laws, it is unlikely to find much support among federal courts. Two courts of appeals issued key decisions in 1990 and 2002 indicating that the term "creditor" was not intended to apply to everyone, but only to entities that we might consider lenders by trade or practice. These cases discredit the FTC’s underlying legal position and suggest, as industry groups throughout the country have urged, that the Red Flags regulations only apply to more traditional financial institutions and commercial lenders.
Below, Ramzi Ajami and I explain in greater detail the underlying legal differences in these positions and discuss why the FTC may find itself unable enforce the new regulations as broadly as it has announced.
The FTC's Bright-Line Rule: A “Creditor” Is Any Business That Receives Payment After Delivery of Goods or Services
The FTC has made it clear that it broadly interprets the term “creditor” to apply to any business or entity that allows customers to defer payment for goods or services until after they have been provided to the customer. This would include doctors, lawyers and a broad range of for-profit and non-profit businesses and organizations. The FTC has presented this interpretation in a number of public statements:
- In the commentary to the November 2007 Final Rules, the FTC and other federal rulemakers indicated that the term “creditor” includes traditional lenders “such as banks, finance companies,” but also automobile dealers, mortgage brokers, utility companies, and telecommunications companies.
- In June 2008 guidance, the FTC indicated “[w]here non-profit and government entities defer payment for goods or services, they, too, are to be considered creditors.”
- On a July 22, 2008 conference call with municipal and state utilities organizations, FTC representatives apparently indicated that the Red Flag requirements apply to all business “operations which provide services before they bill the customer.” [For an industry report on that call see this link (.pdf).]
- During a conference call with members from the healthcare industry, FTC staff attorneys apparently stated that physicians and hospitals are “creditors” subject to Red Flags regulation “if they do not require full payment up front at the time they see patients, but rather bill patients after the physician’s services are rendered.” The American Medical Association and several other healthcare groups objected to this broad interpretation in a September 30, 2008 letter (.pdf) to the FTC chairman.>
- In its October 2008 Enforcement Policy (.pdf) statement, the FTC affirmed this broad interpretation when it affirmed that “any person that provides a product or service for which the consumer pays after delivery is a creditor.”
- The FTC’s Chief Privacy Officer Mark Groman reiterated that a “creditor” is any business, including law firms, that “defers payment” in exchange for goods and services during a January 2009 presentation at the Boston Bar Association. [See our piece on that event here.]
From these public statements, it is clear that the FTC has adopted a bright line test: anyone that accepts payment after he/she/it provides goods or services is a “creditor” subject to the Red Flags regulations. In the FTC’s view, the regulations apparently apply equally to doctors who bill their patients after an office visit, to lawyers and consultants who present their clients with bills for past services on a periodic basis, as it does to banks and credit card companies. Any business that does not demand up-front payment before it provides goods or services to its customers would apparently be a “creditor under the FTC’s current interpretation and, according to the FTC, should be developing a compliant identity theft prevention program (and, by the way, complying with federal lending laws).
Federal Courts of Appeals: No Bright-Line Rule, Businesses That Accept Payment After Delivery May Not Be A “Creditor”
Notwithstanding the FTC’s statements on this issue, federal court of appeals decisions interpreting who is a “creditor” under federal law have construed the term somewhat narrowly. Importantly, the federal appeals courts have pointedly refused to adopt a bright line standard like the one announced by the FTC.
Neither the Red Flags regulations nor the FACT Act define the term “creditor.” Instead, they incorporate the definition of “creditor” from a parallel federal statute, the Equal Credit Opportunity Act (ECOA). Under the ECOA, “creditor” is defined as “any person who regulatory extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation off credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.” “Credit,” in turn, is defined in turn as the “right granted by a creditor to a debtor” to: (1) “defer payment of debt right granted by a creditor”; (2) “incur debts and defer its payment”; or, most broadly of all, (3) “purchase property and services and defer payment therefore.” As a result, the legal question for many businesses is whether they become a “creditor” simply by accepting payment for their services after they have been completed.
In Shaumyan v. Sidetex Co., 900 F.2d 16 (2d Cir. 1990), the Second Circuit Court of Appeals found that a contractor was not a “creditor” when it allowed a client to make incremental payments for home improvements that included installing siding and replacing doors and windows. In that case, the plaintiffs agreed to make a series of payments over time after work was completed, including an initial deposit, a payment when the work commenced, a payment after the project was half complete, a payment when the siding was installed and a final payment when the project after the windows and doors had been completed. Shaumyan, 900 F.2d at 17. The Second Circuit considered and rejected the argument this arrangement made the contractor a creditor under the ECOA merely because payment was not made before work begun or “instantaneously” when the services were provided. The Court reasoned that “[i]f this proposition were strictly applied . . . countless transactions in which compensation for services is not instantaneous would be characterized as credit transactions. Such indiscriminate application of the ECOA is not appropriate.” Shaumyan, 900 F.2d at 18-19 (internal citation omitted). Instead, the Second Circuit held that the contractor was not a “creditor” because payment was made “substantially contemporaneous” with the work that was performed. Shaumyan, 900 F.2d at 19 (“Since the … payment obligation was substantially contemporaneous with [the contractor’s] performance, the contract was not a credit transaction.”).
More recently, in Riethman v. Berry, 287 F.3d 274 (3d Cir. 2002), the Third Circuit Court of Appeals flatly rejected the FTC’s current interpretation of “creditor.” There, the Third Circuit considered whether a law firm could be considered a creditor because it entered into an attorney fee arrangement that permitted the client to make payments after services were rendered, and allowed for late payments. The Court rejected the plaintiff’s argument that any “post-service billing” (or billing for services or goods already rendered) transformed the law firm into a “creditor” and suggested that the term “creditor” must be limited to more traditional financial institutions. Otherwise “in addition to attorneys' fees, [plaintiff’s] interpretation of the ECOA would embrace doctors' fees, dentists' fees, accountants' fees, psychologists' fees and virtually all other professional fees. In view of the statutory purpose underlying the ECOA, it seems implausible that Congress intended to cover not only banks and other such financial institutions but also all professions.” Riethman, 287 F.3d at 278.
The Shaumyan and Riethman decisions appear to reject the FTC’s broad interpretation of “creditor” under the ECOA and, not surprisingly, industry groups such as the American Medical Association, brought these cases to the FTC’s attention in their September 2008 letter (.pdf). While other cases interpreting the ECOA may offer less support to industry groups resisting the FTC’s broad interpretation, they make clear that the federal courts that have examined issues have not adopted any bright line tests like the one announced by the FTC.
In particular, the issue of who is a “creditor” under the ECOA has been hotly contested in the context of residential and commercial leases. This led to a number of decisions from federal circuit courts and the Federal Reserve Board, the agency empowered to issue interpretive guidance on the ECOA, has weighed in on the issue with a non-binding interpretation asserting that “Congress did not intend the ECOA . . . to cover lease transactions” and warning that enforcing the ECOA against lessors “could impose significant burdens for certain segments of the industry — such as furniture and appliance leasing.” 50 Fed. Reg. 48018, 48019-20 (1985). Key court decisions on this issue include the following cases:
- In Laramore v. Ritchie Realty Mgt. Co., 397 F.3d 544 (7th Cir. 2005), the Seventh Circuit Court of Appeals held that a residential landlord was not a “creditor” under the ECOA. The Court reasoned that “typical” rental payments are better seen as credits for future services, rather than a deferral of debt for the underlying lease obligation. Laramore, 397 F.3d at 547. However, the Court explicitly left the door open for the ECOA to cover a non-typical residential lease that requires payment at the end of the month for the preceding month’s rent. “For the purposes of this case, we are concerned only with leases that provide for the lease of residential property for a term and roughly equal rental payments are due to the landlord at the beginning of each month during that term.” Laramore, 397 F.3d at 547 n.2.
- The Court of Appeals for the D.C. Circuit held in Micks at Pa. Ave., Inc. v. BOD, Inc., 389 F.3d 1284, 1289 (D.C. Cir. 2004) that a residential sublease did not transform the sublessor into a “creditor” under the ECOA. The Court was skeptical that merely collecting monthly rental payments constitutes an ECOA “credit transaction” and also justified its holding based on the fact that the ECOA requires that a “credit transaction” be in the “regular” course of business, but the sublessor at issue in the case was a restaurant who did not “regularly” extend subleases. Micks, 389 F.3d at 1289. This decision suggests that the D.C. Circuit, much like the Third Circuit in the Riethman case, may be reluctant to identify “creditors” without also considering the types of goods and services purchased.
- In a break with other courts, the Ninth Circuit Court of Appeals held that an automobile lease transformer the lessor into a “creditor” under the ECOA. In Brothers v. First Leasing, 724 F.2d 789 (9th Cir. 1984), the Ninth Circuit held that the lessor was a “creditor” because an automobile lease requires a lessee to defer payment of the debt. Brothers, 724 F.2d at 798 n.8.
This much is clear: federal courts of appeals have not adopted the FTC’s bright-line test for what businesses are “creditors.” Instead, the federal courts have applied the ECOA on a case-by-case basis and exhibited a clear reluctance to define “creditor” so broadly that it includes all businesses that bill their customers for past services. In particular, several federal appeals courts and the Federal Reserve Board have indicated that the ECOA was not intended to apply the term “creditor” to industries beyond traditional lending institutions.
Beyond legal formalities and abstractions, the concern expressed by these courts is grounded in common sense. If the FTC’s broad interpretation is not narrowed, who isn't a "creditor"? Having announced no practical limitations on who is covered by the new rules, the FTC appears ready to push scope of the Red Flags regulations to new limits. While many individuals and companies may have well-founded legal arguments that they are not subject to Red Flags regulations, anyone that ignores the new rules does so at their peril, given the FTC’s clear intention to enforce the regulations against virtually everyone.
Links:
- The FTC's website
- The Federal Register publication of the final Red Flags Regulations are available here (.pdf), or directly from the FTC's website here (.pdf)
- The FTC's Business Alert from June 2008 is available here (.pdf) and this guidance is available directly from the FTC's website here.
- The Oklahoma Municipal League's Municipal Policy Review, which reported on FTC public statements is available here (.pdf), or from the Oklahoma Municipal League's website here (.pdf).
- The September 30, 2008 letter sent by a long list of medical organizations to the FTC chairman is avaialble here (.pdf) or from the AMA's website here (.pdf).
- The FTC's October 2008 Enforcement Policy Statement may be found here (.pdf) or on the FTC's website here (.pdf).
- Reithman v. Berry, 287 F.3d 274 (3d Cir. 2002) (.pdf) or directly from the Court of Appeals website (.pdf)
This week, the 
Today, the 
This move comes days before the June 1, 2010 deadline that the FTC set in October for enforcement of the Red Flags Rule. Beginning in 2008, the FTC created controversy by construing the Red Flags Rule to apply to a wide range of "creditors", including anyone that invoices customers after providing goods or services. As a result, the FTC has faced backlash from law firms, accounting firms and medical practices. Groups representing these industries have filed lawsuits against the FTC to prevent them from applying the Red Flags Rule. 
Last week a number of federal regulatory agencies rolled out an online privacy notice builder for financial institutions subject to one or more of the Gramm Leach Bliley Act (GLBA) regulations. The agencies involved include the 
