In a press release issued yesterday, the FTC announced that enforcement of the "Red Flags Rule" ("the Rule"), which was scheduled to begin today, is being extended to August 1, 2009, in order to give creditors and financial institutions more time to develop and implement written identity theft prevention programs.
Promulgated under the Fair and Accurate Credit Transactions Act (FACTA) in order to combat identify theft, the Rule requires "financial institutions" and "creditors" with "covered accounts" to implement a written identity theft prevention program to detect, prevent, and mitigate identity theft in connection with opening new accounts and maintaining existing accounts.
In its announcement, the FTC noted continuing concerns about the Rule:
"Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further," FTC Chairman Jon Leibowitz said.
The FTC also announced that for entities that have a low risk of identity theft, such as businesses that know their customers personally, it will soon release a template to help them comply with the law.
The announcement does not affect other federal agencies' enforcement of the original November 1, 2008 compliance deadline for institutions subject to their oversight, for example, state and nationally chartered banks, and savings and loans.
In addition to banks, savings and loans, and credit unions, "financial institutions" covered by the Rule include entities directly or indirectly holding around transaction accounts, i.e., consumer accounts from which checks can be written or other transfers made to third parties, including mutual funds that offer check writing privileges.
The FTC has taken the position that the Rule does not apply to include or exclude any industry. Rather, applicability depends on whether the company is a "financial institution" or "creditor" with "covered accounts" as defined in the Rule. Thus, any company which extends credit to consumers to purchase its products may become a "creditor." Both creditors and financial institutions must conduct a risk assessment to determine whether they have any accounts for which a reasonably foreseeable risk of identity theft exists.