On November 7, 2007 the Federal Trade Commission, the federal bank regulatory agencies, and the National Credit Union Administration published a notice that finalized the Red Flags Rule ("Rule"), 16 C.F.R. Part 681.2, pursuant to authority created by the Fair and Accurate Credit Transactions Act of 2003.
The Rule requires financial institutions and creditors with covered accounts to develop and implement written identity theft protection programs that identify, detect, and respond to any unusual activity that indicates a reasonably foreseeable risk of identity theft—or—any "red flag." (For definitions of "financial institution," "creditor," and "covered account" see FTC Business Alert, New ‘Red Flag’ Requirements for Financial Institutions and Creditors Will Help Fight Identity Theft (June 2008).
The Rule was originally scheduled to come into effect on January 1, 2008, with full compliance delayed until November 1, 2008. The FTC later announced multiple further delays. Last week, the FTC announced the latest delay on enforcement will run through December 31, 2010. This delay comes “[a]t the request of several Members of Congress,” to provide Congress time to consider legislation that would affect the scope of entities covered by the Rule, and on the heels of a lawsuit filed by the American Medical Association and other physician’s groups against the FTC on May 21, 2010 (in the U.S. District Court for the District of Columbia) related to the Rule, which defines physicians as “creditors.” The FTC’s latest announcement does not affect other federal agencies’ enforcement of the original November 1, 2008 deadline.