FTC delays Red Flags enforcement, new legislation could exempt DVMs

VIN, AVMA offer model programs to help veterinarians get into compliance

November 3, 2009 (published)
By Jennifer Fiala

The Federal Trade Commission (FTC) has pushed back the deadline for enforcement of its new anti-fraud regulations for a fourth time. Business owners and financial institutions that extend credit must now be in Red Flags compliance by June 1, 2010.

The former deadline for Red Flags compliance was Nov. 1. News of the seven-month reprieve was released on Oct. 30, the same day that the U.S. District Court for the District of Columbia handed down a decision that Red Flags rules do not apply to attorneys.

Veterinary practices might also soon be free from Red Flags requirements if Congress enacts HR 3763, which the U.S. House of Representatives passed unanimously on Oct. 20. The amendment to the Fair Credit Reporting Act exempts healthcare facilities, accounting and legal practices that employ fewer than 20 people from FTC’s new rules requiring financial institutions and creditors — a category that almost all veterinary practices fall into — to establish a written policies and procedures to protect consumers from identity theft.

HR 3763 also mandates exemptions for businesses that meet one of three guidelines: if business knows its customers individually, if a business performs services in and around the residences of its customers or if a business has not experienced incidents of identify theft or if identify theft is rare for a business of that nature. On Oct. 21, the bill was referred to the Senate Committee on Banking, Housing and Urban Affairs, where a hearing has not yet been scheduled.

In the meantime, the American Veterinary Medical Association (AVMA) warns that despite the commission’s delayed enforcement of Red Flags, veterinarians still are expected to be in compliance with the rule if they fit FTC’s creditor definition. According to the commission, a creditor is “any person who regularly extends, renews or continues credit; any person who regularly arranges for the extension, renewal or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew or continue credit.” 

Members of the Veterinary Information Network (VIN) have questioned whether referring clients to CareCredit or other third-party payment systems puts a practitioner in the creditor category. FTC does not consider businesses that simply provide CareCredit brochures and accept such payments to be creditors, but those who activity arrange such credit for clients are included in the commission’s creditor definition. 

“Healthcare professionals, including veterinarians, fall into the category of ‘creditors’ because they do not always receive payment in full from their clients at the time of treatment,” states AVMA’s backgrounder on the topic.

The Red Flags rule is mandated by the Fair and Accurate Credit Transactions Act, in which Congress ordered the FTC to author regulations forcing creditors and financial institutions to close security gaps that could lead to consumer identify theft, effective Jan. 1, 2008. In turn, FTC’s Red Flags rule — named for red flags, or indicators of identity theft — requires businesses to establish:

1. Policies and procedures to identify suspicious patters or practices in daily operations that might indicate identity theft.

2. Policies and procedures to detect identified red flags for the business, like fake identification.

3. Actions to take when a red flag is recognized.

4. A system to periodically evaluate a business' Red Flags program as new risks are identified and threats change.

Responding to criticism from the private sector that the Red Flags rules are cumbersome and vague, members of Congress have repeatedly pressured the FTC to allow more time to educate small businesses about Red Flags compliance and to give creditors, which by definition includes most veterinary practices, time to author and implement the identity theft prevention measures.

The latest enforcement deadline of June 1, 2010, falls a year and a half after the Red Flags rules originally was intended to be implemented, on Nov. 1, 2008. Subsequent enforcement deadlines were pushed to May 1, 2009 and Aug. 1, 2009. On July 29, the FTC once again delayed Red Flags enforcement until Nov. 1, 2009.

Although the FTC includes a compliance template on its Web site, veterinarians have expressed disdain for the new requirements, stating that they are confusing and burdensome. AVMA is among the many professional groups that are trying to get its members off the hook when it comes to the Red Flags mandate. In a letter to Congress dated June 4, 2009, AVMA and 28 other healthcare organizations stated that the FTC failed to consider the financial impact that the Red Flags program would have on healthcare providers.

While the profession waits to see if Congress opens the HR 3763 loophole, AVMA has come up with a step-by-step guide to help veterinarians get into Red Flags compliance. The move follows a series of webinars AVMA hosted earlier this year with a private consulting firm. Some veterinarians who sat in on the conferences criticized the meetings when it was discovered that the legal consultants were short on guidance and ultimately selling their services.

VIN, in response to concern from its members, developed its own model for veterinary practices. The law firm of Kern Augustine Conroy & Schoppmann, P.C., provided VIN with a sample program they drafted for healthcare professionals. VIN utilized this sample and developed its program with the assistance of its general counsel Raphael Moore, which includes a video training presentation, Red Flags template, confidentiality notice template and Red Flags FAQ sheet, along with links to an FTC guide as well as rules and regulations.

"Compliance with the Red-flag requirements really isn't that hard, since most of the requirements are common sense ones that most veterinarians probably already have in place," Moore says. "The trick is to be able to document them, and make sure your staff is not only aware of your security policies, but follows them.

"The material VIN provides is intended to make compliance that much easier, and provide the relevant information at the practitioners' fingertips," he adds. "We hope it will help veterinarians protect themselves and their clients."

VIN News Service commentaries are opinion pieces presenting insights, personal experiences and/or perspectives on topical issues by members of the veterinary community. To submit a commentary for consideration, email

Information and opinions expressed in letters to the editor are those of the author and are independent of the VIN News Service. Letters may be edited for style. We do not verify their content for accuracy.