FTC Delays Enforcement Date of Red Flag Rules Until May 1, 2009 to Allow Companies to Determine if They are Subject to the Rules and to Develop and Implement ID Theft Prevention Policies

November 1, 2008 was to have been the mandatory compliance date for the Federal Trade Commission’s (“FTC”) “Red Flag Rules,” but the FTC has recently postponed its enforcement of the Rules until May 1, 2009. This sixmonth delay gives certain companies more time to determine whether they are subject to these Red Flag Rules, and, if they are, to become compliant. Other Federal agencies that have issued similar Red Flag Rules are not affected by the FTC’s enforcement delay.

The Red Flag Rules were promulgated by the FTC in an effort to detect, prevent, and mitigate identity theft pursuant to a requirement in the Fair and Accurate Credit Transaction Act, amending the Fair Credit Reporting Act. The scope of the Red Flag Rules is broader than it may appear at first glance, and this, in essence, is the reason for the FTC’s delay in enforcing the Red Flag Rules. Apparently, the FTC was concerned that many companies are not aware that they are within the scope of the Rules.

Generally, the Red Flag Rules require “financial institutions” and “creditors” to implement a written identity theft prevention program. Such ID theft prevention program must: (a) be formally adopted by the company’s board of directors, a committee of the board, or a designated senior management-level person if the company does not have a board of directors, and (b) designate a senior management-level employee to administer the program, to train staff to comply with the terms of the program, and to report, at least annually, to the board of directors regarding compliance with the program.

The FTC’s Red Flag Rules apply to entities that: (a) are subject to administrative enforcement of the FCRA by the FTC, that (b) are “financial institutions” or “creditors” and that (c) hold “covered accounts.” Many companies that might not consider themselves to be a “financial institution” or a “creditor” may be surprised to learn that they may be within the scope of the Red Flag Rules. For example, regularly permitting customers to defer payment for goods or services could bring a company within the scope of these Rules.

Companies that have not yet examined whether they are within the scope of the Red Flag Rules are encouraged to take advantage of the FTC’s six-month reprieve to determine whether they need to comply with these Rules.