The “Red Flags Rule” was implemented by the Federal Trade Commission in January 2008 pursuant to the Fair and Accurate Credit Transactions Act of 2003 (the “FACT Act”).  Broadly speaking, the Red Flags Rule requires entities that extend credit to customers to implement internal procedures to safeguard against identity theft of non-customers.

In 2009, the American Bar Association (“ABA”) sought a declaratory judgment in the District Court of D.C. that would explicitly exempt lawyers from the definition of “financial institutions” in the FACT Act and therefore relieve them of the requirements of the Red Flags Rule.  The FTC countered asserting, inter alia, that attorneys who regularly permit their clients to defer payments for their legal bills fall within the terms of the FACT Act and therefore are subject to the Red Flags Rule.  The ABA prevailed at the District Court level.

 Last Wednesday (July 21, 2010), the FTC filed an appeal to the D.C. Circuit with a 75 page brief, in which it noted that attorneys should be subject to the Red Flags Rule because “[t]here in fact have been a number of reported instances in which attorneys have failed to verify the identity of imposter clients which have facilitated fraudulent property transfers or disbursement of funds, and which have resulted in lawsuits and grievance proceedings against the attorney by the innocent non-client victim.”  The FTC insists that lawyers act as creditors when they provide legal services without immediate payment from a client and that, therefore, monthly billing should be deemed a credit operation, though it has also noted that attorneys who work on a contingency basis should NOT be considered “creditors”, nor does the acceptance of an upfront retainer create a debtor/creditor relationship.


The Red Flags Rule mandates the implementation of procedures that must be tailored to each institution depending on the manner in which it extends credit.  The FTC has explained these requirements in a March 2009 Release:

The Red Flags Rule sets out how certain businesses and organizations must develop, implement, and administer their “Identity Theft Prevention Programs”.  A Program must include four basic elements, which together create a framework to address the threat of identity theft.

The four basic elements to the program are:

1) Identify Relevant Red Flags

  • Identify the red flags of identity theft you’re likely to come across in your business

2) Detect Red Flags

  • Set up procedures to detect those red flags in your day-to-day operations 

3) Prevent and Mitigate Identity Theft

  • If you spot the red flags you’ve identified, respond appropriately to prevent and mitigate the harm done

4) Update your Program

  • The risks of identity theft can change rapidly, so it’s important to keep your Program current and educate your staff

The Red Flags Rules provide all financial institutions and creditors the opportunity to design and implement a program that is appropriate to their size and complexity, as well as the nature of their operations.

As the FTC explained in a June 2008 Release, the red flags fall into five categories:

  • alerts, notifications, or warnings from a consumer reporting agency
  • suspicious documents
  • suspicious personally identifying information, such as a suspicious address
  • unusual use of – or suspicious activity relating to – a covered account
  • notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts


In its brief, the FTC has also noted that attorneys who bill on a deferred basis can be subject to the Equal Credit Opportunity Act (“ECOA”).  It would, therefore, be a violation of the ECOA to vary the payments terms offered to clients based on their race, sex and a number of other suspect categories