The new Red Flag Rules went into effect on December 18, 2010 as part of the Red Flag Program Clarification Act of 2010.  The act amends the Fair Credit Reporting Act (FCRA) to establish identity theft guidelines for creditors.  The Red Flag Rules were postponed previously from going into effect due to confusion over which businesses were required to comply with the program.

The new measure claries which businesses must comply with the Red Flag rules and implement an Identity Theft Prevention Program.  The definition of "Creditor" has been defined as someone who "regularly and ordinarily in the course of business" who (1) obtain or use consumer reports, (2) furnish informaiton to consumer reporting agencies in the course of a credit transaction or (3) advance funds on behalf of a person based on the obligation to repay.

This clarification of creditor could exempt certain businesses such as attorneys, physicians, dentists and health care providers.  It does not create an exemption for certain service providers such as collection agencies and billing agencies, especially if those service providers use consumer reports or report accounts to consumer reporting agencies.  If a health care provider doesn't report accounts to a consumer's credit report, but once the account is referred to a collection agency and they have the collection agency report the account, then the health care provider may be required to comply with the Red Flags Rules.

Businesses should review the rules and/or consult with their own legal counsel to determine if they fall under the definition of "Creditor" and whether or not they need to implement an Identity Theft Prevention Program to to comply with the Red Flag Rules.

Enforcement of the Red Flag Rules went into effect on December 31, 2010.