On the eve of the enforcement deadline of the Red Flags Rule, the Federal Trade Commission (FTC) extended the deadline for enforcement once again to August 1, 2009. In October 2008, the FTC granted a six-month delay in the enforcement of the Red Flags Rule from the original November 1, 2008, deadline until May 1, 2009. In a press release dated April 30, 2009, the FTC announced a three-month delay in the enforcement of the section of the Red Flags Rule that requires individuals and entities defined as "creditors" or "financial institutions" under the regulations to implement a written identity theft prevention program to detect, prevent and mitigate identity theft in connection with certain existing accounts or the opening of new accounts. This announcement does not affect the other sections of the Red Flags Rule related to users of consumer reports and issuers of debit and credit cards, which became effective on November 1, 2008.

The FTC announced that it soon will release a policy template for entities with a low risk of identity theft to assist them in complying with the law. A quote in the press release from FTC Chairman Jon Leibowitz indicates that this delay also may be used to give Congress the opportunity to revisit the scope of the Red Flags Rule. Chairman Leibowitz said:

[G]iven the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further.