On October 22, 2008, the Federal Trade Commission (FTC) announced that it will delay or suspend enforcement of the “Red Flags Rule” for six months, until May 1, 2009. This rule (codified at 16 C.F.R. 681.2) requires “financial institutions” and “creditors” to develop and implement written identity theft prevention programs and was promulgated under the Fair and Accurate Credit Transactions Act of 2003 (Pub. L. No. 108-159, 117 Stat. 1952). To read the FTC’s announcement, click here: http://www.ftc.gov/opa/2008/10/redflags.shtm.

In announcing the six-month delay of enforcement, the FTC cited the confusion and uncertainty within some industries about the coverage and applicability of the Red Flags Rule and the lack of sufficient time for entities which had been unaware that they fell within the scope of the rule to develop programs meeting the requirements of the rule by the November 1, 2008 compliance date. The FTC indicated that the six-month delay would allow covered entities to take the appropriate care and consideration in developing and implementing their programs and would give the FTC time to conduct additional education and outreach regarding the rule.

The terms “financial institution” and “creditor” are defined very broadly in the Red Flags Rule and cover a wider scope of entities than are generally required to comply with FTC rules in other contexts. For example, in an enforcement policy statement issued in conjunction with the announcement of the delay of enforcement (see http://www.ftc.gov/os/2008/10/081022idtheftredflagsrule.pdf), the FTC states that “any person that provides a product or service for which the consumer pays after delivery is a creditor.” The six-month delay of enforcement provides additional time for entities to assess whether, and to what extent, they are subject to the Red Flags Rule and to then, if necessary, develop and implement programs. However, entities that may be subject to the Red Flags Rule would be well-advised to undertake such an assessment very soon and, if appropriate, to promptly begin efforts toward compliance, as development and implementation of an identity theft program meeting the requirements of the Red Flags Rule will require time.

The delay in enforcement by the FTC is limited to the requirement for financial institutions and creditors to establish identity theft prevention programs and does not extend to the related regulations regarding address discrepancies that are applicable to users of consumer credit reports (see 16 C.F.R. 681.1) or those concerning changes of address that are applicable to card issuers (see 16 C.F.R. 681.3). The delay also does not apply to FACTA regulations issued by other federal agencies.