The opinion of the court was delivered by: Reggie B. Walton United States District Judge
On August 27, 2009, the plaintiff, the American Bar Association, filed a three-count complaint against the Federal Trade Commission (the "Commission"), alleging that the Commission's application of Final Rule, Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003, 72 Fed. Reg. 63,718 (Nov. 9, 2007) (the "Red Flags Rule" or the "Rule"), to attorneys exceeds the Commission's statutory authority under the Fair and Accurate Credit Transactions Act of 2003 ("the FACT Act"), see Pub. L. No. 108-159, 117 Stat. 1952 (codified at 15 U.S.C. §§ 1681-1681x (2006); 20 U.S.C. §§ 9701-8 (2006)), and therefore the Commission's actions in implementing the Red Flags Rule violates the Administrative Procedure Act, 5 U.S.C. §§ 702-706 (2006) ("APA"), see Complaint for Declaratory and Injunctive Relief ("Compl."). Specifically, the plaintiff alleges that the Commission's application of the Red Flags Rule to attorneys violates 5 U.S.C. § 706(2)(C), as it is "in excess of statutory jurisdiction, authority, or limitations, or short of statutory right," Compl. ¶¶ 54-60 (Count I), and 5 U.S.C. § 706(2)(A), and is "arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law," id. ¶¶ 61-64 (Count II), entitling the plaintiff to a declaratory judgment under 28 U.S.C. § 2201 (2006), id. ¶¶ 65-67 (Count III). On September 23, 2009, the plaintiff filed a motion for partial summary judgment in this case on Count I of its three-count complaint, Plaintiff's Motion for Partial Summary Judgment ("Pl.'s Mot.") at 1, which the defendant opposes,*fn1 Defendant's Memorandum of Points and Authorities in Opposition to Plaintiff's Motion for Partial Summary Judgment ("Def.'s Opp'n").
The parties came before the Court on October 29, 2009, for a hearing on the plaintiff's motion for partial summary judgment. Upon consideration of the parties' written submissions, the applicable legal authority, the oral arguments presented by the parties, and for the reasons set forth below, the Court held that the plaintiff's motion for summary judgment on Count I of its complaint must be granted. This opinion is being issued to supplement the Court's oral ruling.
A review of the relevant statutory and regulatory history underlying this action is the first step necessary to understanding the nature of this controversy.
A. The Equal Credit Opportunity Act
The first congressional enactment pertinent to this matter is the Equal Credit Opportunity Act, 15 U.S.C. § 1691 (2006) ("ECO Act"). The ECO Act was passed by Congress in 1974 to eliminate discrimination by creditors against credit applicants on the basis of sex or marital status with respect to all aspects of credit transactions, Pub. L. No. 93-495, § 502, 88 Stat. 1500, 1521 (1974) (codified as Note, Congressional Findings and Statement of Purpose, 15 U.S.C. § 1691). The ECO Act defines "creditor" as "any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit." 15 U.S.C. § 1691a(e). Therefore, implicitly significant to the definition of creditor is the term "credit," and the ECO Act defines "credit" as "the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefor." 15 U.S.C. § 1691a(d) (emphasis added).*fn2
B. Fair and Accurate Credit Transactions Act of 2003
In 2003, Congress passed the FACT Act, which incorporated by reference the definitions of "creditor" and "credit" found in the ECO Act, see 15 U.S.C. § 1681a(r)(5). The aim of the FACT Act is "to prevent identity theft, improve resolution of consumer disputes, improve the accuracy of consumer records, make improvements in the use of, and consumer access to, credit information." H.R. Rep. No. 108-396, at 65-66 (2003) (Conf. Rep.), reprinted in2003 U.S.C.C.A.N. 1753-54. In furthering Congress's expressed aim, the FACT Act provides, in pertinent part, that agencies, including the Commission, shall:
(A) establish and maintain guidelines for use by each financial institution and each creditor regarding identity theft with respect to account holders at, or customers of, such entities, and update such guidelines as often as necessary;
(B) prescribe regulations requiring each financial institution and each creditor to establish reasonable policies and procedures for implementing the guidelines established pursuant to subparagraph (A), to identify possible risks to account holders or customers or to the safety and soundness of the institution or customers . . . .
15 U.S.C. § 1681m(e)(1)(A)-(B). Congress granted agencies the authority to enforce their administrative rules and regulations adopted to advance the objectives of the FACT Act through injunctive relief and the imposition of civil monetary penalties on violators. See 15 U.S.C. § 1681m(h)(8)(B) (incorporating enforcement scheme established by 15 U.S.C. § 1681s).
1. The Commission's Rulemaking: The Red Flags Rule
Pursuant to the congressional grant of authority provided in the FACT Act, on July 18, 2006, the Commission, along with several other agencies (including the Department of the Treasury's Office of the Comptroller of the Currency and Office of Thrift Supervision, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the National Credit Union Administration) took the first step in the administrative rulemaking process by publishing in the Federal Register a joint notice of proposed rulemaking to implement sections of the FACT Act. See Identity Theft Red Flags and Address Discrepancies Under Fair Accurate Credit Transactions Act of 2003, Proposed Rule, 71 Fed. Reg. 40,786 (July 18, 2006) ("Proposed Red Flags Rule"). As the FACT Act directed, the Proposed Red Flags Rule indicated that "[t]he Agencies . . . [were] proposing joint regulations requiring each financial institution and creditor to establish reasonable policies and procedures for implementing the guidelines, including a provision requiring credit and debit card issuers to assess the validity of a request for a change of address under certain circumstances." Id. at 40,786.
On November 9, 2007, after the period for notice and comment expired, the agencies issued their final rule. See the Red Flags Rule. According to the Commission, the following obligations are imposed on creditors and financial institutions by the Red Flags Rule:
Each creditor or financial institution "must periodically determine whether it offers or maintains covered accounts . . ." 16 C.F.R. § 681.1(c). If it does, the covered entity must develop and implement a written identity theft prevention program to identify, detect and respond to possible risks of identity theft applicable to them. 16 C.F.R. § 681.1(d). The program would need to specify measures implemented to prevent identity theft, for example by checking a government-issued picture ID card for new accounts or customers. The program would also need to indicate how the entity will respond if a red flag has been detected so as to mitigate the risks of ID theft, such as not billing the client or consumer whose identity was compromised, ensuring that information relating to the identity thief is not commingled with that of the victim, or reporting incidents of identity theft to law enforcement agencies. The covered entity needs to update its program periodically to guard against current ID theft risks, and provide for the continued administration of the program. 16 C.F.R. § 681.1(e).
It is important to note that no statement indicating that the Rule would be applicable to the legal profession accompanied either the Proposed Red Flags Rule or its final version, or was included in the comments accompanying the rulemaking. Indeed, with respect to the definition of credit and creditor, the Rule reiterated that the Commission was adopting by reference the definitions of these terms as set forth in the ECO Act, 15 U.S.C. § 1681a(r)(5), see 72 Fed. Reg. at 63,722, and added that creditors subject to the regulations "include[d] lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies," 16 C.F.R. § 681.1(b)(5).
Similarly, with respect to the "covered account[s]" governed by the Red Flags Rule, the agencies stated that the following types of accounts were covered:
[a]n account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account.
16 C.F.R. § 681.1(b)(3)(i). However, the Rule also provided that a "covered account" could include "[a]ny other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks." 16 C.F.R. § 681.1(b)(3)(ii).
2. Delays in Implementation of the Red Flags Rule
The Red Flags Rule was scheduled to take effect on January 1, 2008, with a "mandatory compliance" date of November 1, 2008. 72 Fed. Reg. at 63,718. However, on October 22, 2008, the Commission issued a press release indicating that it would institute a six-month delay in the enforcement of the Rule until May 1, 2009, see Press Release, FTC Will Grant Six-Month Delay of Enforcement of 'Red Flags' Rule Requiring Creditors and Financial Institutions to Have Identity Theft Prevention Programs (Oct. 22, 2008),*fn3 due to what the Commission perceived as confusion by entities as to whether they were subject to the Rule. The Commission stated that despite its outreach efforts, many entities and industries that the Commission viewed as being covered by the Final Red Flags Rule "were [still] uncertain about their coverage under the Rule" and therefore needed additional time to comply with the Rule. Id. The Commission reiterated in its October 22, 2008 press release that the ECO Act's definition of creditors would govern and added the following statement for clarification: ...