Red Flag Rules: Are They Applicable to You?
Overview
The Office of the Comptroller of Currency, Federal Reserve Board, Federal Deposit Insurance Corporation, the Office of Thrift Supervision, National Credit Union Association, and the Federal Trade Commission (“FTC”) issued regulations, known as the “Red Flag Rules,” requiring financial institutions and creditors to develop and implement written programs to detect, prevent and mitigate instances of identity theft. These interagency regulations implement legislation under section 114 of the Fair and Accurate Credit Transactions Act of 2003 (“FACT Act”). These programs must be in place by November 1, 2008. While the application of these rules to financial institutions is no surprise, the scope of the rules’ applications to creditors – including health care providers – poses a potential trap for the unwary and the unprepared.
Definitions under the Red Flag Rules
With the November 1 deadline quickly approaching, health care providers and other potential “Creditors” must determine whether the Red Flag Rules apply to their operations. Certain key definitions come into play.
Creditors and Credit. All financial institutions and “Creditors” must implement the Red Flag Rules for “Covered Accounts.” The definition of “Creditor” is the same definition of Creditor that is used in the Equal Credit Opportunity Act (“ECOA”), which defines a Creditor as a person who regularly extends, renews or continues credit. Regulation B under ECOA defines a Creditor as a person who, in the ordinary course of business, regularly participates in a credit decision.
ECOA defines “credit” as a right granted by a Creditor to defer payment of a debt, incur debt and defer its payment or to purchase property or services and defer payment for such property or services. As a result, if a transaction provides for the deferral of payment of a debt, it is a covered “credit” transaction for purposes of ECOA and, in turn, the Red Flag Rules. With these rather broad definitions of Creditor and an expansive interpretation by the FTC of its authority, the FTC has taken the position that nonprofit and government entities that defer payment for goods or services are to be considered Creditors for the purposes of the Red Flag Rules.
Covered Accounts. A “Covered Account” is: (i) an account that the Creditor offers or maintains that involves or is designed to permit multiple payments or transactions and is used for personal, family or household purposes, or (ii) any other account that the Creditor offers or maintains for which there is a reasonably foreseeable risk to customers or the safety and soundness of the Creditor from identity theft. While the first component of this definition is broad, the second component is even broader. Therefore, if it is determined that an entity is a Creditor, it is most likely going to be concluded that the Creditor also has Covered Accounts.
Identity Theft Programs under the Red Flag Rules
As stated above, the Red Flag Rules require financial institutions and “Creditors” holding “Covered Accounts” to develop and implement an identity theft prevention program. The program must at least contain the following four components:
- It must identify relevant “Red Flags” that signal possible identity theft;
- It must have a procedure to detect the Red Flags that have been incorporated into the program;
- It must provide for appropriate responses to any detected Red Flags to prevent or mitigate identity theft;
- It must contain provisions that insure that the program is updated periodically to reflect any risk changes.
Examples of “Red Flags” include address discrepancy, name discrepancy on identification and insurance information, unusual account activity related to a covered account, fraud alerts on a consumer report, or attempted use of suspicious account application documents.
Applicability of the Red Flag Rules to Health Care Providers
Health care providers are not typically thought of as “Creditors.” More often, this term is associated with banks, mortgage lenders or credit card companies. However, the Red Flag Rules apply to any company that provides goods or services without requiring payment in full at the time the goods or services are provided. The FTC, one of the federal agencies charged with enforcement of the Red Flag Rules, has taken the position that the rules apply to health care providers who do not require payment in full at the time services are rendered. Therefore, based on the FTC position, a health care provider would be deemed to be a “Creditor” and have “Covered Accounts,” whenever the provider (a) allows a patient to pay less than the full amount due at the time services are rendered, (b) allows a patient to pay in installments and, possibly, (c) accepts payments from more than one insurance company or benefit provider on behalf of a patient.
Given the November 1 compliance deadline, health care providers should promptly review their payment programs and policies to determine whether they are “Creditors” with “Covered Accounts.” If they are, providers should take immediate steps to establish written identity theft programs in accordance with the Red Flag Rules and related guidance documents. The initial written program must be approved by the health care provider’s governing board or a designated committee of the board. This may seem intimidating, but board approval is only necessary for the initial written program. Subsequent modifications to the written program can be approved by a member of the provider’s senior management team. If the provider does not have a board, then a designated senior management employee must approve the program.Once approved, the program should be implemented by all relevant departments of the provider.
Intersection with the Wisconsin Consumer Act
Due to the similarity between creditrelated terms under the FACT Act and ECOA rules on the one hand, and the Wisconsin Consumer Act (“WCA”) on the other, questions may arise as to whether compliance with the Red Flag Rules will cause providers to become subject to the WCA. Applicability of the WCA to providers requires a case-by-case analysis that is independent of the Red Flag Rules.
The Wisconsin Court of Appeals has determined that the WCA is intended to apply to situations in which there is an agreement made before services are rendered permitting a debtor to pay over time. An arrangement that allows a debtor to pay over time only after attempts at collecting the bill in full have failed does not cause the transaction to become a consumer credit transaction. Therefore, as long as a health care provider does not have payment deferral agreements in place at the time the services are rendered and makes aggressive and appropriate efforts to collect in full all invoices when issued, the provider should not be deemed to be a Creditor or be deemed to be involved in a Consumer Credit Transaction for the purposes of the WCA. This assumes there is no finance charge imposed.
Definitions of “Creditor,” “Merchant,” “Consumer Transaction,” and “Consumer Credit Transactions” under the WCA, while similar in some respects to the definitions of credit related terms under the FACT Act and ECOA, are not identical to those definitions. Therefore, it is possible for the FACT Act to apply to a health care provider but for the provider’s payment programs not to be within the scope of regulation under the WCA.
Under the WCA, a “Creditor” is a “Merchant” who regularly engages in a “Consumer Credit Transaction.” A “Merchant” is a person who regularly offers or deals in services in a manner which results in, leads to or induces a “Consumer Transaction.” A “Consumer Transaction” is one where one or more parties is a “Consumer.” “Services” are defined for the Consumer Act to include hospital accommodations. A “Consumer Credit Transaction” is a “Consumer Transaction” between a “Merchant” and a “Customer” in which services are acquired on credit and the obligation is payable in installments or for which a charge is or may be imposed. “Credit” is defined as a right granted by a “Creditor” to defer payment of a debt or to incur debt and defer its payment.
von Briesen Legal Update is a periodic publication of von Briesen & Roper, s.c. It is intended for general information purposes for the community and highlights recent changes and developments in the legal area. This publication does not constitute legal advice, and the reader should consult legal counsel to determine how this information applies to any specific situation.