House Approves Red Flags ExemptionsBill Now Awaits President's Signature
The bill, which the Senate approved by unanimous consent Nov. 30, now goes to the president for his signature.
Sens. John Thune, R-S.D., and Mark Begich, D-Alaska, introduced the measure, S 3987. Unlike an earlier bill the two senators introduced in May, the latest version approved by the House and Senate does not spell out that certain professionals with 20 or fewer employees are exempt. Instead, it uses more general terms to more narrowly define the term "creditor" so that, in effect, far fewer organizations must comply with the Red Flags Rule.
Red Flags ExemptionsIn a colloquy in support of the bill last week, Sen. Christopher Dodd, D-Conn., said the legislation "makes clear that lawyers, doctors, dentists, orthodontists, pharmacists, veterinarians, accountants, nurse practitioners, social workers, other types of healthcare providers and other service providers will no longer be classified as 'creditors' for the purposes of the Red Flags Rule just because they do not receive payment in full from their clients at the time they provide their services, when they don't offer or maintain accounts that pose a reasonably forseeable risk of identity theft."
The Federal Trade Commission has postponed enforcement of the Red Flags Rule several times. Lawsuits on behalf of attorneys as well as physicians seeking to block the FTC from applying the rule to these professionals are pending.
Under the Red Flags Rule, which became effective Jan. 1, 2008, organizations that extend credit to their clients must develop and implement written identity theft prevention programs that help identify, detect and respond to patterns, practices or specific activities, known as "red flags," that could indicate identity theft. The rule applies, for example, to banks and federally-chartered credit unions, which are examined for Red Flags compliance by their federal regulators.
Red Flags ComplianceUnder S 3987, creditors that must comply with the rule would no longer include those who "advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person."
Creditors that must comply, under the bill, are those that obtain and use consumer reports in connection with a credit transaction and furnish information to consumer reporting agencies. Also included are so-called payday loan companies that don't necessarily use consumer reports, according to a staffer for Begich.
In the colloquy last week, Thune said, "Any other type of creditor may only be covered through a rulemaking based upon an agency's determination that these type of creditors offer or maintain accounts that pose a reasonably foreseeable risk of identity theft."
Don Asmonga, government relations manager for the American Health Information Management Association, said the bill apparently would exempt hospitals as well as physicians. He said he interprets the bill's language to mean "If a hospital does not regularly request credit reports, then they would be exempt from the Red Flags Rule."
A member of Begich's staff summed up the bill in this way: "The Tune-Begich bill narrows the applicability to cover those creditors where identity thieves can do the most harm."