Beginning January 1, 2011, creditors with covered accounts need to be in compliance with the Federal Trade Commission's identity theft regulations, widely known as the Red Flags rule. Although the rule, requiring entities to have certain policies and practices in place, has been in effect for more than two years, repeated enforcement delays had been issued in the meantime while Congress considered changes to which entities would be covered.
In December, Congress finally acted, passing the Red Flag Program Clarification Act of 2010 (PL111-39). The changes are primarily designed to exempt small businesses, such as doctors' offices, accountants, and small stores, from the requirements. Most colleges and universities are unlikely to be affected by the modification of the definition of a creditor. (Note that neither the law nor the FTC regulations specify particular types of covered entities; the determination is made based on the activities in which an entity engages as part of its business.)
Under the new definition, an entity is a creditor if it regularly and in the ordinary course of business does one or more of the following:
1) obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction;
2) furnishes information to consumer reporting agencies in connection with a credit transaction; or
3) advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person.
While higher education institutions don't normally use consumer credit reports, most do report to consumer credit agencies and advance funds (through tuition payment plans and federal and institutional loans) to help students cover their bills.
The FTC has not yet issued any guidance based on the new legislation. Institutions with questions about whether they are still covered by the rules should consult their legal counsel.