On April 30, 2009, for the second time, the Federal Trade Commission (FTC) extended the enforcement date of its "Red Flags Rule" (16 C.F.R. § 681.2). The Red Flags Rule became effective January 1, 2008, but the FTC initially delayed the enforcement date until November 1. On October 22, the FTC announced it was delaying enforcement until May 1, 2009.

The FTC's most recent announcement delays enforcement until August 1, 2009. In addition to delaying enforcement, the FTC also has been engaged in efforts to educate businesses about the Red Flags Rule. In March it released a How-To Guide for Business in an effort to help clarify who is covered and what is expected. This was followed on May 13 by a Do-It- Yourself Prevention Program to aid organizations at low risk for identity theft in achieving compliance.

The Red Flags Rule, enacted pursuant to section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACTA), requires covered entities to develop a written program consisting of policies and procedures to identify, detect, respond to, and periodically evaluate "red flags" indicative of identity theft. Covered entities under the rules are "financial institutions" and "creditors" holding "covered accounts."

The financial institutions subject to FTC jurisdiction are not traditional financial institutions like banks and savings and loans, but other entities holding transaction accounts.

Transaction accounts are accounts from which consumers can make payments or transfers to third parties such as a mutual fund with checkwriting privileges. The term “creditors” is defined by reference to the Equal Credit Opportunity Act (ECOA).

Covered accounts include those used primarily for personal, family, or household purposes and that permit multiple payments or transactions, as well as other accounts held by covered entities for which there is a foreseeable risk of identity theft.

According to the FTC's How- To Guide, these other accounts might include small business accounts, sole proprietorship accounts, or even single transaction consumer accounts. The How-To Guide therefore makes it clear that the FTC expects covered entities to assess non-credit accounts (in the case of covered creditors) and nontransaction accounts (in the case of covered financial institutions) for inclusion as covered accounts in developing a red flags program.

The broad sweep of the Red Flags Rule, including its applicability to creditors, has caused considerable confusion for businesses. This confusion is one of the primary reasons the FTC has further delayed enforcement. In its How-To Guide, the FTC confirms that the definition of creditor is expansive, including any business or organization that regularly defers payment for goods or services or provides goods and services and bills customers for them later. The FTC explains this may include utility companies, health care providers, and telecommunications companies, among others. The FTC has not accepted the American Medical Association's arguments that doctors and other health care providers should not be covered.

The Red Flags Rule also applies to any entity that regularly grants loans, arranges for loans or the extension of credit, or that makes credit decisions. The FTC surprised some retailers when it stated in its How-To Guide that this included retailers that "help consumers get financing from others, say, by processing credit applications." Depending on the circumstances, the FTC's interpretation may extend beyond the scope the ECOA definition of “creditor.”

In announcing the latest extension of the enforcement date, FTC Chairman Leibowitz explained that "[g]iven the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further."

After the announcement, H.R. 2345, a bill to exclude health care practices with 20 or fewer employees from Red Flags enforcement, was introduced in the U.S. House of Representatives. It is unclear whether there will be additional legislative activity, challenges to the Red Flags Rule, or further delayed enforcement.