On December 18, 2010, President Obama signed into law the “Red Flag Program Clarification Act of 2010” (S.3987), which amends the Fair Credit Reporting Act with respect to the applicability of identity theft guidelines to creditors.  The law limits the scope of the Federal Trade Commission’s Identity Theft Red Flags Rule (“Red Flags Rule”), which requires “creditors” and “financial institutions” that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities that indicate possible identity theft.

The Clarification Act limits application of the Red Flags Rule to creditors that regularly and in the ordinary course of business: (1) obtain or use consumer reports, directly or indirectly, in connection with a credit transaction; (2) furnish information to consumer reporting agencies in connection with a credit transaction; or (3) advance funds to or on behalf of a person, based on a person’s obligation to repay the funds or on repayment from specific property pledged by or on the person’s behalf.

The revised definition of “creditor” excludes creditors “that advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.”  This exclusion addresses a widespread concern among stakeholders that the original FCRA definition improperly extended the Red Flags Rule’s scope to implicate entities not typically thought of as creditors, including law firms and health care providers.

The amended definition also includes other creditors whose regulating authority promulgates a rule pursuant to “a determination that such creditor offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft.”

On December 3, we reported that S.3987 passed the Senate after companion legislation (H.R. 6420) was introduced in the House of Representatives on November 17, 2010.  The House of Representatives passed the Senate bill on December 7.

The President also signed the Social Security Number Protection Act of 2010 into law on December 18.