This content is for informational and educational purposes only and is not legal, financial, or tax advice. No attorney-client relationship is created by reading or using this article. Federal, state, and local rules may differ and may change without notice. A qualified professional can review specific circumstances. The author and publisher assume no liability for actions taken based on this content.
Key Facts
- Federal level: The FTC’s Red Flags requirements appear in 16 CFR Part 681 and include a written Identity Theft Prevention Program for covered financial institutions and creditors.
- Federal level: 16 CFR 681.1 specifies that the program must detect, prevent, and mitigate identity theft through reasonable policies and procedures.
- Federal level: The underlying statutory authority for the identity-theft program framework is 15 U.S.C. § 1681m(e), which directs guidelines and regulations requiring reasonable identity-theft policies and procedures.
- Federal level: Pub. L. 111-319 (the Red Flag Program Clarification Act of 2010) amended 15 U.S.C. § 1681m(e) by adding a definition of “creditor” tied to covered activities and excluding certain incidental-expense advances.
- Federal level: The Clarification Act led the D.C. Circuit to hold that the pending appeal was mooted, vacating the district court judgment and dismissing the case as moot.
- Federal level: In May 2010, the FTC described delaying enforcement of the Red Flags Rule through December 31, 2010 while Congress considered legislation affecting the scope of covered entities.
Last reviewed: May 2026. Legal rules, forms, deadlines, and procedures can change by jurisdiction, agency, and court system.
- What this archived ABA/FTC item is, and what is not recoverable
- Why the Red Flags Rule dispute turned on statutory scope
- The federal baseline 16 CFR Part 681’s written Identity Theft Prevention Program
- The statutory backbone in 15 U.S.C. § 1681m(e) and what Congress clarified in 2010
- How the Clarification Act changed the litigation outcome in No. 10 5057
- The historical enforcement timing context described by the FTC in May 2010
- Why this 2010 archive item can still help modern readers understand today’s rule
- Federal vs. state legal roles in identity theft compliance
- Sources
What this archived ABA/FTC item is, and what is not recoverable
The archived target item concerns a statement attributed to ABA President Carolyn B. Lamm responding to an FTC appeal related to “Red Flags” litigation during the 2009–2011 period. During this archive recovery run, the legacy ABA-hosted page at the provided abanow.org URL returned an HTTP 404, and the corresponding TheFirstFile page returned “page not found,” so this recovery cannot reliably reproduce or quote the statement’s exact wording.
Why the Red Flags Rule dispute turned on statutory scope
The “Red Flags” framework sits at the intersection of (1) the Fair Credit Reporting Act’s identity-theft provisions and (2) FTC regulations that translate those provisions into program requirements. A key flashpoint in the 2010–2011 period was which entities counted as a covered “creditor” under the statutory program structure.
The D.C. Circuit opinion in American Bar Association v. FTC, No. 10-5057, explains that enactment of the Clarification Act mooted the appeal, which in turn led to vacatur and dismissal as moot.
The federal baseline 16 CFR Part 681’s written Identity Theft Prevention Program
Today’s controlling regulatory text for the identity-theft “Red Flags” requirements appears in eCFR 16 CFR Part 681. The regulation provides that the Red Flags obligations apply to financial institutions and creditors that are subject to administrative enforcement of the FCRA by the FTC.
Program design and required elements
Under 16 CFR 681.1, covered financial institutions and creditors must develop and implement a written Identity Theft Prevention Program designed to detect, prevent, and mitigate identity theft. The regulation also requires “reasonable policies and procedures” to identify relevant “Red Flags,” detect “Red Flags,” respond appropriately to detected “Red Flags,” and update the program periodically to reflect changes in risks from identity theft.
The statutory backbone in 15 U.S.C. § 1681m(e) and what Congress clarified in 2010
The FTC’s regulations trace back to 15 U.S.C. § 1681m(e), which directs federal agencies to jointly establish and maintain guidelines regarding identity theft and to prescribe regulations requiring each financial institution and each “creditor” to establish reasonable policies and procedures related to identity theft. The statute also directs that the guidelines identify patterns, practices, and specific forms of activity that indicate the possible existence of identity theft.
What Pub. L. 111 319 changed about “creditor” scope
In December 2010, Congress enacted Pub. L. 111-319. That law amended 15 U.S.C. § 1681m(e) by adding a statutory definition of “creditor” that ties covered status to specified activities, including: (i) regularly obtaining or using consumer reports; (ii) regularly furnishing information to consumer reporting agencies; or (iii) regularly advancing funds based on an obligation to repay. The same enacted text also excluded certain advances for expenses incidental to a service provided, and it made the amendment effective on the date of enactment (December 18, 2010).
Compact comparison of controlling legal inputs
| Legal source | Role in the “Red Flags” framework |
|---|---|
| 15 U.S.C. § 1681m(e) (as amended) | Supplies statutory authority and the statutory “creditor” definition that affects who falls under the program |
| 16 CFR 681.1 (in 16 CFR Part 681) | Translates the statute into a written Identity Theft Prevention Program requirement with specific program functions |
How the Clarification Act changed the litigation outcome in No. 10 5057
In American Bar Association v. FTC, No. 10-5057, the D.C. Circuit held that the enactment of the Clarification Act mooted the appeal and required the court to vacate the district court’s judgment and dismiss the case as moot.
The historical enforcement timing context described by the FTC in May 2010
The May 2010 FTC press release described the agency delaying enforcement of the “Red Flags” Rule through December 31, 2010 while Congress considered legislation affecting the scope of entities covered by the Rule. The press release also stated that the delay was limited to the Red Flags Rule and did not extend to other address discrepancy provisions in 16 C.F.R. § 641 or 16 C.F.R. § 681.2.
Why this 2010 archive item can still help modern readers understand today’s rule
Archived advocacy and statements from the ABA/FTC dispute can feel disconnected from the modern regulatory text because they were tied to (1) the statutory meaning of “creditor” at the time and (2) the procedural posture of a pending appeal. The controlling reference points for today’s federal “Red Flags” requirements remain the current text in 16 CFR Part 681 and the amended statutory framework in 15 U.S.C. § 1681m(e). For archive context on how ABA communicated during that era, TheFirstFile also preserves other ABA leadership-statement entries, including ABA president statement on Supreme Court decision.
Federal vs. state legal roles in identity theft compliance
The federal “Red Flags” obligations discussed here come from federal law and federal regulations: the statutory authority in 15 U.S.C. § 1681m(e) and the FTC’s implementing requirements in 16 CFR Part 681. State law varies, and states may address identity theft and related fraud through separate state statutes and rules that do not change the federal Red Flags program structure described in the federal sources above.
