What is known as the Red Flag Rule was developed under the Fair and Accurate Credit Transactions (FACT) Act. The Red Flag Rule requires financial institutions and creditors with covered accounts to put in place identity theft prevention programs to identify, detect and respond to activities that could indicate identity theft.
The original deadline for compliance was as soon as November 1 - just days away. However, in a recent development, the Federal Trade Commission (FTC) has decided that it will suspend enforcement of the Red Flag Rule until May 1, 2009 to provide financial institutions and creditors extra time to develop and implement identity theft prevention programs.
There likely is a collective sigh of relief - at least for now - among covered entities. They likely appreciate further time to get their identity theft prevention programs in order.
As far as covered entities, financial institutions are deemed those that offer accounts that enable consumers to write checks or to make payments to third parties through other means, including telephone transfers or negotiable instruments.
Creditors are deemed to include any entity that customarily extends, renews or continues credit; any entity that arranges for credit; and any assignee of a creditor that becomes involved in the decision to extend, renew or continue credit. Simply accepting credit cards does not by itself make an entity a creditor for purposes of the Red Flag Rule. Examples of creditors can include finance companies, mortgage brokers and automobile dealers.
One of the primary reasons that the FTC decided to delay enforcement of the Red Flag Rule is that it learned through outreach efforts that some industries and entities were unclear that they were within the ambit of the Rule. Accordingly, and because many of them are not required to comply with FTC rules in other contexts, some of them had not made efforts yet to come into compliance by the time of the original November 1 deadline.
Of course now the FTC, having provided a six-month extension, likely will be less sympathetic later to any lack of compliance by covered entities. For any covered entity that is not yet in compliance with the Red Flag Rule, now is the time to get moving. The new deadline will be here in a heartbeat.
Note: While the FTC has suspended enforcement of the Red Flag Rule until May 1, 2009, this does not necessarily mean that banking agencies have extended the compliance deadline for entitites they regulate.