NYCLA Ethics Institute Federal Trade Commission Red Flags Rule Report

This Report was approved by the Executive Committee of the New York County Lawyers’ Association at its regular meeting on June 23, 2009.

It is clear that the crime of identity theft has become increasingly common and now affects people in all segments of society, including lawyers. See Weiss, “Bradley Arant Reportedly Scammed Out of More Than $400K” ABA Journal (June 2009) available at http://www.abajoumal.com/weekly/bradley_arant_reportedly_scammed_out_of_more_than _400k. In general, attempts to fight identity theft should be applauded and, where appropriate, should merit the Association’s support. However, that is not the case with respect to the Federal Trade Commission’s (“FTC”) new “Red Flag Rules,” (scheduled to go into effect on August 1, 2009), due to the FTC’s intention to apply these rules to the legal profession. It should be noted that the FTC belatedly informed the American Bar Association (“ABA”) in April 2009 of the agency’s intention to apply its new rules to lawyers and law firms. In doing so, the FTC did not provide any specific guidance as to how its Red Flag Rules would, if implemented, operate in the context of a law firm or a sole practitioner.

For these reasons, and as is more fully explained below, we urge the FTC to reconsider its decision to apply the Red Flag rules to the legal profession.

The Red Flag Rules are clearly directed at “financial institutions” and “creditors.” Viewed reasonably in this context, lawyers are, of course, neither of these. However, without sufficient justification, the FTC has determined that the Red Flag Rules are applicable to lawyers and law firms, as well as physicians and other health care providers, because, in the FTC’s view, all of these professionals fall within the legal definition of “creditor” and therefore come under the statute. This strained interpretation ignores the reality that in many instances lawyers are not creditors with respect to their clients. Specific examples of situations where lawyers are not acting as “creditors” include, but are not limited to, the case of a retainer agreement, the prompt payment of its bills by the client, or a contingent fee arrangement—all of which are extremely common circumstances. However, to the extent that any lawyer or law firm does become a “creditor” with respect to a client, that occurrence is so tangential as to make the FTC’s use of it as a basis for including the legal profession within the ambit of the Red Flag Rules untenable.

The Red Flag Rules provide that, “financial institutions” and “creditors” will be required to develop a written program that identifies and detects the relevant warning signs – or Ted flags’ – of identity theft. The FTC has suggested that written programs mandated by the rules should potentially include ways of identifying or detecting unusual account activity or attempted use of “suspicious account application documents,” Additionally, the FTC has stated that such programs should also describe responses that would mitigate or prevent the crime. Such a program must be managed by senior employees of a creditor or financial institution and must include staff training, as appropriate, and provide for oversight of any service providers.

The FTC’s overreaching Red Flag Rules are analogous to the FTC’s similarly ill-founded and ultimately unsuccessful attempt to apply the financial reporting provisions of the Gramm-Leach-Bliley Act (“GLBA”) of 1999 to lawyers. See Am. Bar Ass ‘n v. Federal Trade Commission, 430 F.3d 457 (D.C. Cir. 2005). Title V of the GLBA requires “financial institutions” to disclose in writing to customers, the financial institution’s privacy policy. The FTC considered lawyers and law firms who were “significantly engaged in financial activities” to be “financial institutions,” and therefore were subject to requirements of Title V. The ABA and the New York State Bar Association filed lawsuits seeking declaratory judgments that the FTC did not have the authority to regulate lawyers under the GBLA.

The bar associations prevailed when the D.C. Circuit Court of Appeals found that the FTC’s attempt to regulate lawyers under the GBLA “was an ‘arbitrary and capricious’ violation of the Administrative Procedure Act.” The court added that, “[i]t is undisputed that the regulation of the practice of law is traditionally the province of the states.” Federal law “may not be interpreted to reach into areas of State sovereignty unless the language of the federal law compels the intrusion,” and “if Congress intends to alter the ‘usual constitutional balance between the States and the Federal Government,’ it must make its intention to do so ‘unmistakably clear in the language of the statute.’” The D.C. Circuit further held that, “[Congress] does not … hide elephants in mouseholes”; to regulate lawyers based only on the very general grant of authority in GLBA over “financial institutions” would require the court “to conclude that Congress not only had hidden a rather large elephant in a rather obscure mousehole, but had buried the ambiguity in which the pachyderm lurks beneath an incredibly deep mound of specificity, none of which bears the footprints of the beast or any indication that Congress even suspected its presence.”

With its Red Flag Rules, the FTC is once again trying to regulate the practice of law through an over-broad application of a set of rules that were clearly written with the intention of being applied to financial institutions. There is no legitimate basis for the FTC to regulate the legal profession in this way. nor has the FTC even made a showing that new rules would accomplish any positive practical effect in this context.

The regulation of lawyers is best left to the states. As the U.S. Supreme Court has stated, “[s]ince the founding of the Republic, the licensing and regulation of lawyers has been left exclusively to the States and the District of Columbia within their respective jurisdictions.” While it is not necessary for the present purpose to even consider the larger question of whether or not it is appropriate for the FTC to regulate lawyers in any fashion, it is important to observe that the application of these Red Flag Rules, directed at “financial institutions” and “creditors,” to lawyers could have potentially broad and disturbing implications for the bar and the public.

If applied to lawyers, the Red Flag Rules would have the potential to intrude on the profoundly confidential nature of the client-lawyer relationship that is now regulated by the states through the Rules of Professional Conduct. Given the wide range of circumstances under which a client-lawyer relationship can develop, these Red Flag Rules would have a negative impact on the client-lawyer relationship and, in some cases, would limit a client’s access to legal advice. For example, it would have a chilling impact on client-lawyer relationships if lawyers were now required to demand certain specific personally identifiable information from a client before providing advice. [“I am sorry, but before I am able to provide you with legal advice, I must first ask you some questions that are required by the Federal Government.”] Clearly, some clients will be reluctant to provide this information and will be put in the position of having to decide whether to provide this personal information or go without the advice of counsel. As things stand, there is nothing that would prevent lawyers from undertaking their own sound due diligence before agreeing to a representation. It is obvious that under the current circumstances, the unarticulated benefit of applying the Red Flag Rules to the legal profession, as the FTC proposes to do, is outweighed by the very real damage that the rules would impose on the client-lawyer relationship that public policy that has guarded so carefully for centuries.

For these reasons, the Association is opposed to the FTC’s proposed application of its proposed Red Flag Rules to lawyers and law firms, and urges the FTC to reconsider its position.