On October 30, 2009, the Fair Trade Commission announced the fourth delay in the enforcement date for the Red Flags Rule, from November 1, 2009, until June 1, 2010. The latest delay permits Congress to further review the issue regarding whether certain types of entities should be excluded from the application of the Red Flags Rule. Recently, under the Red Flags Rule, a company is required to develop and implement policies and procedures designed to identify and prevent identity theft from certain “covered accounts.” A “covered account” includes consumer accounts, a mortgage, and certain business accounts. In order to determine which business accounts would be deemed to be “covered accounts,” an institution must conduct a risk assessment of its business accounts and identify whether the business accounts could be at risk for identity theft.

TIP: If you are covered by the Red Flags Rule, you should consider completing the following steps to ensure compliance by June 1, 2010: (1) review the existing customer base to identify any accounts maintained for personal, family, or household purposes; (2) review the existing customer base to identify any business accounts; (3) perform a risk assessment for each business account and stratify the identity-theft risk associated with each account; (4) develop and implement policies and procedures no later than June 1, 2010; and (5) review the policies and procedures and customer base on a periodic basis for any changes in identity-theft risks, and revise the policies and procedures as necessary.