On Oct. 22, 2008, the Federal Trade Commission (“FTC”) announced that it will delay for six months (from Nov. 1, 2008, to May 1, 2009) its enforcement of the “Red Flag Rules” that are aimed at preventing and combating identity fraud.
The Red Flag Rules were issued jointly by the federal bank regulatory agencies, the National Credit Union Administration and the FTC on Nov. 9, 2007, pursuant to the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”). The Red Flag Rules require financial institutions and creditors to develop and implement written “identity theft prevention programs.” Such programs are meant to provide for the identification, detection, and response to patterns, practices, or specific activities (i.e., “red flags”) that could indicate identity theft.1 Under the Red Flag Rules, a broad range of businesses must adopt such programs because of their inclusion within the scope of financial institutions and creditors. For example, the definition of “creditor” includes not only banks, thrifts and credit unions, but also finance companies, broker-dealers, automobile dealers, utility companies, telecommunication companies, and businesses that have accounts for which there is a reasonably foreseeable risk to customers from identity theft.
Now, just days before the Nov. 1, 2008 deadline for covered entities to implement their identity theft prevention programs, the FTC has announced that it has decided to delay its enforcement of the Red Flag Rules until May 1, 2009. In its recent public statement, the FTC stated that “some industries and entities within the FTC’s jurisdiction have expressed confusion and uncertainty about their coverage under the rule” and “indicated that they were not aware that they were undertaking activity that would cause them to fall within FACTA’s definitions of ‘creditor’ or ‘financial institution.’” According to the FTC, the uncertainty is at least partly attributable to the fact that many entities covered by the Red Flag Rules generally are not subject to FTC regulation in other contexts. Due to this uncertainty, many covered entities learned of the requirements of the Red Flag Rules too late to comply by Nov. 1, 2008. Accordingly, the FTC has decided to delay enforcement for six months.
Finally, the FTC’s announcement only delays the enforcement of the Red Flag Rules. It does not delay the FTC’s enforcement of the Special Rules for Card Issuers or the Address Discrepancy Rules.2 Also, the federal bank regulatory agencies and the National Credit Union Administration have not given parallel extensions to entities that are within those agencies’ regulatory purview. Therefore, the Nov. 1, 2008, deadline remains in force for those entities.