The U.S. Senate voted unanimously this week to pass the Red Flag Program Clarification Act of 2010, which limits the scope of businesses covered by the rule, essentially giving an exemption to lawyers, doctors, accountants, dentists, orthodontists, pharmacists, veterinarians, nurse practitioners and social workers and other service providers.
The Red Flags Rule, developed in accordance with the Fair and Accurate Credit Transactions Act of 2003 (FACTA), requires financial institutions and other organizations classified as “creditors” to develop programs to identify, detect and respond to indications of identity theft.
The rule has been met with pushback, resulting in numerous delays. Several groups oppose the rule's definition of “creditor," saying it is too broad and would cover small businesses in industries where identity theft poses little threat.
The American Medical Association (AMA), for example, filed a lawsuit in federal court seeking to prevent the FTC from extending the Red Flags Rule to physicians. The AMA's lawsuit followed two similar complaints – one filed by the American Bar Association on behalf of lawyers and one by the American Institute of Certified Public Accountants on behalf of accountants.
Under the existing rule, doctors and other service providers were classified as “creditors” because they let clients pay after they provided services, said Sen. Mark Begich, D-Alaska. These businesses generally do not, however, offer or maintain accounts that pose a reasonable risk of identity theft.
Under the new legislation, the rule would apply only to organizations that use consumer reports in connection with credit transactions, provide information to consumer reporting agencies or loan money.
“Unless this bipartisan bill becomes law, many small businesses for which identity theft is not a threat could be required to spend time and effort to comply with the Red Flags Rule,” said Begich, according to Tuesday's Congressional Record. “Small businesses are the economic drive of our country, and…should be focused on job creation and should not have to spend the money to comply with regulatory burdens disproportionate to the scope of the identity theft problem."The bill will now go to the House of Representatives for a vote.