ABA Urges Congress and FTC to Exempt Lawyers from Red Flags Rules

Posted on June 26, 2009 by Gabriel M. Helmer

Earlier this week, on Monday, June 22, 2009, the American Bar Association (ABA) President H. Thomas Wells, Jr. issued a public statement urging Congress and the FTC to exempt lawyers from the requirements of the federal Red Flags Rules, stating:

The Rule, adopted under the Fair and Accurate Credit Transactions Act, or FACT Act, is noble in its intent.  However, the Commission’s application of the Rule to lawyers is unnecessary and not supported by law.  Lawyers are not engaged in the type of commercial activity that Congress was attempting to regulate with the FACT Act and should not be considered creditors under the Red Flags Rule.

In support of this position, the ABA President references federal caselaw suggesting that lawyers are not "creditors" under federal law and suggests that forcing lawyers to comply would be costly and pointless.  "Compliance with the Act would complicate client arrangements and require a major commitment of lawyers’ time, yet the FTC has failed to identify a single case of identity theft in the legal service context, suggesting that such a scenario is far-fetched, if not impossible."

As we reported in our earlier post on this topic, the ABA has been considering what action to take since it asked the FTC to delay enforcement of the Red Flags Rules in April and the FTC complied, postponing broad enforcement until August 1, 2009.  The ABA statement further suggests that the ABA may already be lobbying Congress behind the scenes to relieve the legal industry from the burden of compliance.

Tags: , , , , ,

FTC and Other Agencies Issue Frequently Asked Questions (With Answers) on Red Flags Rules

Posted on June 15, 2009 by Jeff Bone

On June 11, 2009, six federal agencies issued answers to a set of frequently asked questions (FAQ) (.pdf) to "assist financial institutions, creditors, users of consumer reports and card issuers in complying with the final rulemaking" on identity theft.  The agencies behind the FAQ are those that originally promulgated the Red Flags Rules (and issued Guidelines to assist covered entities in designing compliance programs): the Federal Trade Commission (FTC), the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS).  Some of the highlights from the FAQ are:

  • The agencies clarified that "all banks, savings associations and credit unions are covered by the Red Flags Rules and Guidelines as 'financial institutions,' whether or not they hold a transaction account belonging to a consumer," and including "those whose powers are limited to trust activities;"
     
  • Brokers, dealers, investment advisors or investment or insurance companies (including those that are subsidiaries of a bank or savings association) are covered by the Rules and Guidelines if they are a "financial institution" or creditor" under the Fair Credit Reporting Act.
     
  • IRAs will generally be considered "covered accounts" and thus subject to the Rules and Guidelines;
     
  • The term "covered account" includes accounts established in the United States by non-U.S. residents;
     
  • Check forgery or use of a stolen credit card constitutes "identity theft" because it involves a fraud using the identifying information of another person without authority;
     
  • The Rules and Guidelines do not require a financial institution or creditor to educate consumers regarding the risk of identity theft, although such programs "may be helpful as part of an overall effort to address the problem of identity theft"
     
  • Financial institutions may, but are not required to, use automated systems to detect red flags, but may have to supplement such a systems with non-automated procedures;
     
  • The Rules and Guidelines required financial institutions or creditors to oversee all service provider arrangements that relate to the opening or accessing of a covered account, not just those with providers that offer fraud detection services;

While it is certainly laudable for the agencies to put together a list of answers to various FAQs in order to facilitate the transition to when the Rules and Guidelines go into effect, I found many of the answers to be fairly unhelpful.  For starters, most of the questions and answers deal with the Rules and Guidelines only as they relate to financial institutions, even though they will apply to numerous other types of institutions.   Moreover, much of the guidance given was extremely vauge.  For example, many of the answers to questions regarding covered accounts could be summarized as "it depends on whether the institution determines that there is a foreseeable risk of identity theft."  It would have been helpful for the agencies to provide some examples or other more concrete information.  Hopefully the agencies will expand on the FAQ in the near future to address concerns of entities beyond financial institutions and perhaps provide more concrete guidance.

Links:

 

Tags: , , , , ,

ABA to Consider Asking FTC and Congress to Exempt Lawyers from Red Flags Rules

Posted on June 10, 2009 by Gabriel M. Helmer

A contact at the American Bar Association (ABA) confirmed by telephone today that the ABA Board of Governors is meeting this Saturday, June 13, 2009 to determine what position the ABA will take on whether lawyers and law firms are (or should be) considered "creditors" subject to federal Red Flags Rules.  Many among the legal community are hoping that the ABA urges the FTC and Congress to exempt lawyers from compliance with federal Red Flags Rules or takes some other action to limit the scope of the FTC's enforcement.  (For background on the Red Flag Rules, see our prior postings here, here and here). 

The FTC has previously indicated that it plans to enforce the Red Flags Rules against lawyers along with any other business that sells goods or services now and bills its customers later (see our prior discussion here).  However, according to the ABA, the first it heard of this issue was when federal regulators notified the ABA of the government's position on April 23, 2009.  This was just a week before the FTC was to begin enforcement of the Red Flags Rules.  The next day, after the FTC attended an emergency meeting with the ABA Government Affairs Office, President H. Thomas Wells, Jr. directed a letter to FTC Chairman Jonathan D. Leibowitz (.pdf) requesting an additional three to six months delay in enforcement so that the ABA could consider its stance on this issue.  The FTC appears to have acquiesced to the ABA request a few days later, when the FTC postponed the May 1, 2009 enforcement deadline until August 1, 2009 . 

In the president's letter as well as a separate public statement (.pdf), the ABA indicated that "some" believe that federal precedent contradicts the FTC's expansive interpretation of the law (for more information, see our detailed discussion of the caselaw here and here).  The ABA has also noted that "the FTC has no examples of identity theft arising from an attorney-client relationship." 

Given the looming compliance deadline, it seems likely that we will hear from the ABA shortly -- possibly as early as next week.  In view of the FTC's response (.pdf) to the public objection raised by the American Medical Association (.pdf), the ABA may need to take a different tack to effect a change in the FTC's enforcement policy.

[I should note that an attorney in California called me up yesterday to discuss the FTC's view that that lawyers should be considered "creditors" subject to federal Red Flags Rules.  Thanks are owed to her for raising the question of whether the ABA has articulated a view on this issue.]

Links:

 

Tags: , , , , , , , ,

Last Minute Reprieve: FTC Postpones Deadline for Red Flags Compliance Until August 1, 2009 - Will Release "Template" For Compliant Identity Theft Prevention Program

Posted on May 1, 2009 by Gabriel M. Helmer

 On Thursday, April 30, 2009, the day before federal Red Flags Rules were set to go into effect for a wide range of businesses, the FTC published a notice on its website indicating that it is postponing the deadline (yet again) until August 1, 2009.  Importantly, this delay appears to be imposed so that the FTC can provide businesses, many of which are confused about how to comply, a "template" identity theft prevention program.  "For entities that have a low risk of identity theft, such as businesses that know their customers personally, the Commission will soon release a template to help them comply with the law."  The FTC indicates that it will make the template available through their website.

In delaying enforcement, the FTC continues to maintain that the Red Flags Rules apply broadly to any business that bills its customers (i.e., "all entities that regularly permit deferred payments for goods or services").  In particular, the FTC specifically mentions that the statutory term "creditor" encompasses "businesses that provide services and bill later, including many lawyers, doctors, and other professionals."  The notice conceeds that considerable confusion has surrounded the preliminary question of who is covered under the new rules.  The FTC directs businesses looking for more information to the FTC's new microsite on the Red Flags Rules.

Links:

Tags: , , , , ,

FTC Launches New Website and "How-To" Guide for Companies Wondering How to Comply with Red Flags Rules

Posted on April 2, 2009 by Gabriel M. Helmer

As the May 1, 2009 deadline for compliance with federal Red Flags Rules nears, the FTC's staff has mentioned informally that helpful guidance would be forthcoming.   As of today, the FTC has launched its new Red Flags Rule website and with it, a Red Flags Rule "How-To" guide (.pdf). 

The website is a good collection of the FTC's materials on this issue and it includes official press releases and statements directed to various industries (including the FTC's letter to the healthcare industry (.pdf), the FTC's guide for telecom companies (.pdf) and the FTC's guide for utility companies (.pdf)). 

The FTC's advice in the How-To Guide may be somewhat general (e.g., "Just getting something down on paper won't reduce the risk of identity theft."), but it does simplify compliance into four steps:

  1. Identify Red Flags.
  2. Develop procedures for detecting Red Flags.
  3. Develop responses for Red Flags once you have detected them.
  4. Re-evaluate your Identity Theft Prevention Program as circumstances change.

For more specific information on threats and security measures, the FTC's webpage on information security is a useful resource drawn from the FTC's experience with companies that have had lapses in information security.  In particular, the FTC's Protecting Personal Information: A Guide for Business (.pdf) lays out five key principles for developing reasonable security procedures:

1. Take Stock. Know what personal information you have in your records.
2. Scale Down. Keep only what you need for your business.
3. Lock It.  Protect the information that you keep.
4. Pitch it.  Properly dispose of what you no longer need.
5. Plan ahead. Create a plan to respond to security incidents.

 

Tags: , , ,

FTC Asks Congress For Enhanced Rulemaking and Enforcement Powers To Curb Abuses in Financial Industry

Posted on March 24, 2009 by Gabriel M. Helmer

On Tuesday, March 24, 2009, FTC Chairman Jon Liebowitz testified before the U.S. House Subcommittee on Commerce, Trade and Consumer Protection seeking enhanced legal powers "[t]o allow the FTC to perform a greater and more effective role in protecting consumers." The prepared text of his testimony is available here (.pdf). Of particular note, the FTC is asking Congress to:

  1. Permit the FTC to use "notice and comment" rulemaking to declare business practices used in the financial industry to be unfair and deceptive acts in violation of the FTC Act -- a process that, according to Chairman Liebowitz, could shorten the time taken to put new regulations in place from 3-10 years under the current system to 1 year under a "notice and comment" system; and
     
  2. Authorize the FTC to bring civil lawsuits in federal court and to obtain civil penalties for unfair and deceptive practices.

The FTC's statements mirror growing public concern that the global economic meltdown requires immediate action to curb abuses in the financial industry and specifically in consumer lending and credit services.  In a section entitled "Tough Enforcement of Existing and New Laws," Chairman Liebowitz states:

Given the current state of the economy and consumers’ financial situation, the FTC has increased its emphasis on protecting consumers who are delinquent or in default on their debts from unlawful acts and practices. The FTC’s future law enforcement efforts will continue to focus on protecting consumers in financial distress from illegal harmful practices.

This testimony reinforces signals we have been receiving from the FTC that the Commission will be aggressively enforcing consumer facing federal regulations to respond to the financial crisis.  While the Chairman's comments are focused on the financial industry, this may impact a variety of businesses as we have seen with federal Red Flags Rules, which the FTC appears ready to enforce far beyond the traditional financial industry, as we have discussed here and here.

 Links:

  • The FTC press release is available here
  • The text of Chairman Liebowtiz's prepared comments are available here (.pdf) or from the FTC's website here (.pdf)
Tags: , , , , , ,