On Wednesday, July 29, 2009, the Federal Trade Commission (FTC) announced that it would be suspending enforcement of the Red Flags Rule, its new anti-fraud regulations, for three months, until November 1, 2009. The three-month extension followed a request from the House of Representatives’ Appropriations Committee that the FTC defer enforcement of the regulations.
The Red Flags Rule requires certain entities defined as “creditors” and “financial institutions” to implement programs to detect and respond to warning signs (or “red flags”) indicating possible identity theft. The question of whether particular entities are subject to the requirements of the Red Flags Rule has been the source of some confusion. While the FTC has made resources available on its website to assist businesses and other organizations in determining whether they are affected by the regulations, the press release issued Wednesday announced that the FTC would “redouble its efforts to educate” small businesses and other entities by “providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply.”
In furtherance of that aim, the FTC announced that it would “shortly” be supplying additional compliance guidance, including a link on its Red Flags Rule website to information specifically developed to assist small and low-risk entities in understanding their obligations under the regulations.
We note that this extension does not apply to banks and other financial institutions that have been subject to Red Flag requirements enforced by federal agencies other than the FTC since the original effective date of November 1, 2008.