The Federal Trade Commission (FTC) announced on Thursday, April 30, 2009, that it will delay enforcement of the "Red Flags Rule" until August 1, 2009. This surprise announcement, which constitutes the second time that the FTC has delayed the enforcement date for the Rule, is intended to give organizations subject to the Rule additional time to develop and implement the required compliance measures.
The Rule, which became law on January 1, 2008, is intended to help address and prevent identity theft. Among other things, it requires organizations to adopt policies and procedures designed to identify, detect and respond to potential indicators of identity theft that may occur with certain customer accounts. Organizations were initially required to comply by November 1, 2008, but based upon the uncertainty of many businesses and industries which were unaware that they were covered by the Rule, the FTC initially extended the compliance date from November 1, 2008, to May 1, 2009. Now, based on continuing uncertainty as well as opposition by some industries (dentists, physicians) that the Rule is adding exorbitant costs to their practices, the FTC has once again postponed enforcement. The new enforcement date is August 1, 2009.
FTC Chairman Jon Leibowitz stated in a release announcing the postponement of enforcement of the Rule to August 1, 2009, that delaying enforcement will allow the FTC to provide more guidance on the Rule, including to organizations subject to the Rule but with a low risk of identity theft; will allow industries and associations time to provide guidance to their members; and will provide Congress with an opportunity to revisit the Rule and its coverage.
Under the Rule, any entity that regularly extends, renews or continues credit, such as allowing customers to make multiple payments over time, or deferring payment until after the goods or services have been provided, must comply. Given the expansive reach of the Rule, a wide array of businesses, such as product and service suppliers, health care providers, colleges and universities (if they allow students to defer tuition or provide student loans), consulting organizations and law firms, are required to comply with the Rule.
For more information about the Rule, please refer to Baker & Daniels' Client Alert entitled "FTC's Identity Theft 'Red Flag' Obligations: Is Your Organization Required to Comply?" dated March 27, 2009. Baker & Daniels has also developed a Red Flags Rule Compliance Kit to aid organizations toward meeting their compliance obligations under the Rule.
Organizations should contact legal counsel with questions on the Red Flags Rule and compliance.