Congress passed the Clarification Act to limit the range of entities covered as “creditors” under the Red Flags Rule, and the interim final rule simply adopts the statute’s narrower definition.  Under that definition, an entity will not qualify as a “creditor” within the meaning of the Red Flags Rules unless, in addition to accepting deferred payment for goods and services, it regularly and in the ordinary course of business: 

• Obtains or uses consumer reports (i.e., credit reports or other information obtained from a consumer reporting agency) in connection with a credit transaction;

• Furnishes information to consumer reporting agencies in connection with a credit transaction; or

• Advances funds to or on behalf of a person, in certain cases.

Perhaps more significant than the FTC’s adoption of the Clarification Act’s definition of “creditor”—which the agency described as a “technical revision” to ensure that the regulation is consistent with the text of the statute—is that the FTC expressly declined to exercise its discretionary authority to determine, through rulemaking, that other types of creditors (who do not meet the criteria listed above) are nonetheless covered by the Red Flags Rule because they offer or maintain accounts that are subject to a reasonably foreseeable risk of identity theft.  The FTC stated in the interim final rule that it did not intend to use its discretionary rulemaking  authority to extend coverage of the Rule to additional creditors “at this time.” 

Although the door is still open to future rulemakings that would broaden the range of “creditors” subject to the Red Flags Rule, it appears that businesses can, for the time being, rely on the narrower definition adopted by the interim final rule.

Authored by Michael Epshteyn.