Obama signs Red Flags Rule clarification into law
WASHINGTON—Even though President Obama signed the "Red Flag Program Clarification Act " into law last month, experts say it's not entirely clear that security companies don't have to worry about complying with Red Flags Rule.
President Obama in December signed the Red Flag Program Clarification Act of 2010 into law. In March of 2010, the CSAA conducted a webinar on the Red Flags Rule that examined just how much non-compliance could cost you. The Red Flags Rule compliance deadline has been postponed a number of times, but with President Obama’s signing of the Clarification Act, compliance is now a matter of law. But who has to comply? What does this new clarification mean for alarm companies? A legal expert and security industry advisor says there’s still plenty to consider.
Mary Sisak, a partner at Blooston, Mordkofsky, Dickens, Duffy & Prendergast, led the CSAA’s March webinar and said at the time that security companies needed to be aware of the rules and what compliance entailed. What has changed with the signing of the Clarification Act?
“The new law modifies the definition of ‘creditor’ to limit the circumstances in which creditors are covered by the Red Flags Rule,” Sisak told Security Systems News. “Under the old definition, the rules applied to any creditor with covered accounts. Creditor included anyone who extended credit, including deferring payment for goods or services.”
The law now states that the FTC rule should only apply to businesses that obtain or use consumer reports, directly or indirectly, in connection with credit transactions; furnish information to consumer reporting agencies in connection with a credit transaction; and advance funds to or on behalf of a person based on an obligation to repay the funds or repayable from specific pledged property. However, the new law also gives the FTC the authority to apply the rule to businesses whose accounts the FTC decides are subject to a reasonably foreseeable risk of identity theft.
So does this mean security companies can breath a sigh of relief and put off implementing identity theft protection programs?
“The new law does not specifically exempt alarm or security businesses—or any type of business—from the rules. Rather, it limits the applicability of the rules to creditors that also meet one of the additional elements. Therefore, alarm and security companies that meet the elements of the new definition of creditor could still be affected,” Sisak said. “In addition, the Act also gives the FTC the ability to impose the red flag requirements on ‘any other type of creditor … as the agency … may determine appropriate by rule promulgated by that agency, based on a determination that such creditor offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft.’”
Sisak said the FTC will provide more information on an ongoing basis. “The FTC has stated that it will provide further information on the new law and its impact on the Red Flag Rules. This information is not available at this time.”
Many health care providers, such as doctors and physicians, as well as many law firms, CPAs and other types of professional service providers, are exempted under the new law.