Does the Red Flags Rule Apply to You?
In an earlier article, I discussed the Red Flag Rule, its mandated creation of identity theft prevention measures and an identity theft program, and its potential application to a wide variety of businesses. The Rule’s application depends on whether a business is a “creditor” and has “accounts.” This article will detail legal efforts to avoid the Rule’s application, and provide information that may enable you to figure out if your business is subject to the Rule’s requirements.
What businesses are covered?
Because of the Rule’s burdensome bureaucratic requirements, companies - especially small businesses - would prefer to avoid its grasp. Moreover companies remain uncertain about whether the Rule applies to them. As a result some industries have marshaled their lawyers to fight its application to their profession. These groups have argued that although they may defer payment for services, they should not be deemed “creditors” under the Rule.
For example, physicians argued that the rule imposes an ‘unjustified, unfunded mandate’ and could have ‘serious adverse consequences’ on patients’ access to health care. Dr. Ardis Hoven, an American Medical Association board member and infectious disease specialist in Lexington, KY., stated that the Rule “adds another degree of regulatory burden for physicians and patients to a system that’s already burdened with responsibilities.”
When the FTC stated that lawyers are subject to application of the Rule, the American Bar Association filed a lawsuit. The ABA obtained the hoped for verdict that the Rule does not apply to their activities, with the Judge in that case finding that the FTC overreached when it tried to define lawyers as “creditors.”
On November 10, 2009, the American Institute of CPA’s (AICPA) filed a lawsuit challenging the applicability of the Red Flags Rule to accountants. AICPA also argued that the rules impose “onerous and unnecessary” requirements on AICPA’s members. The lawsuit was filed in the same Court that enjoined the FTC from enforcing the rules against attorneys.
What about real estate professionals?
The Commission has posted ‘FAQs’ that address how the FTC intends to enforce the Rule and other topics – www.ftc.gov/bcp/edu/microsites/redflagsrule/faqs.shtm. But the FAQs do not give the specificity that small business owners with a low risk of identity theft are looking for.
Language in FTC opinion pertaining to its applicability to health care providers gives some indication of how the Rule may be applied to other business. It states:
“If you are a health provider, you are a creditor if you regularly bill patients after the completion of services, including for the remainder of medical fees not reimbursed by insurance. Similarly, health care providers who regularly allow patients to set up payment plans after services have been rendered are creditors under the Rule.”
Note the emphasis on the word “regularly.” Therefore, if in your business, customers or clients are not regularly (as a matter of course) allowed to pay on payment plans or obtain services on terms, or do not have the right (e.g., based on a policy, according to a schedule, usually with interest) to pay over time, the Rule shouldn’t apply.
Since most businesses require payment at the time service is rendered, they should not be deemed “creditors.” Occasionally allowing a customer or client to make payments over time when they are unable to pay at the time of service shouldn’t be the regular type of activity targeted by the rule. In addition, simply accepting credit cards does not make you a creditor under the Rule.
Real estate brokerages shouldn’t qualify as creditors because they do not extend credit or accept payment over time or by a payment plan. Nor do brokerages have the type of continuing relationship established to obtain a product or service that equals an “account” under the Rule. But if a brokerage is doing residential property management (so they have personal information and accounts) and regularly allows tenants to pay on payment plans, a more in-depth analysis of potential “Red Flags Rule” liability may be necessary.
Lenders and mortgage brokers are presumably “creditors” and should make an effort to determine if they have “accounts” that fall within the definition of the Rule.
Fortunately in the enforcement FAQs, the FTC states it would be unlikely to recommend bringing a law enforcement action even if there was identity theft, if the business knows their customers or clients individually, it performs services in or around their customers’ homes, or if they operate in sectors where identity theft is rare and they have not themselves been the target of identity theft.
The other good news is that there are no criminal penalties for failing to comply with the Red Flags Rule. The FTC would have to initiate an investigation (which presumably would only occur if there was an identity theft), and if a violation was found, only financial penalties could be assessed.
Finally, you have some time to make a Red Flags Rule determination. Because of the legal challenges and the continuing confusion over its applicability, the FTC has delayed its implementation numerous times, with the most recent extension to June 1, 2010. Go to http://www.ftc.gov/redflagsrule for more information.
Mr. Kramoltz is an attorney that specializes in the area of real estate and small business. He is an instructor at the Arizona School of Real Estate and Business, and the owner and designated broker for SimplySold ND Realty. This article is made available with the understanding that it is informational only, and it has not been prepared to provide specific legal advice that may be relied on by a reader.