On October 22, 2008, the FTC announced that it will suspend until May 1, 2009 the enforcement of key provisions of the Red Flags Rule. Specifically, the FTC will suspend until next year enforcement of sections of the Rule requiring certain financial institutions and creditors to implement a written identity theft prevention program.
In the Enforcement Policy Statement that accompanied the FTC’s announcement, the agency acknowledged that there is “confusion and uncertainty” about the coverage of the Rule. Many entities in major industries under the FTC’s jurisdiction were not aware that they were engaged in activities that brought them within the scope of the Rule’s definition of “financial institution” or “creditor.” In addition, numerous entities that are generally not regulated by the FTC were simply not aware of the Rule. In light of these findings, the FTC concluded that a delay in enforcement was necessary to give these entities the opportunity to develop and implement written identity theft prevention programs and thus comply with the Rule. The FTC will use the delay to continue its outreach and education efforts. The agency is also expected to issue additional guidance in the form of FAQs.
November 1 Deadline Remains in Place for Some Requirements
It is important to note that the extension does not apply to the provisions of the Red Flags Rule that require (i) users of consumer reports to implement procedures for handling notices of address discrepancy, or (ii) credit and debit card issuers to implement procedures for assessing the validity of change of address notifications. The compliance deadline for these provisions remains November 1, 2008.
Deadline Remains in Place for Certain Financial Institutions
For entities subject to the jurisdiction of the federal banking regulators (the OCC, Federal Reserve, FDIC, OTS and NCUA), November 1, 2008 remains the deadline for compliance with all the provisions of the Red Flag Rule. For these entities, the Federal Financial Institutions Examination Council recently issued the Interagency Examination Procedures for Identity Theft Red Flags and Address Discrepancies Rule (“Examination Procedures”). The Examination Procedures closely follow the requirements of the Rule, but raise some issues that covered entities should consider in fine-tuning relevant procedures. Specifically, users of consumer reports should confirm that they have implemented procedures not only for handling notices of address discrepancy, but also for recognizing and detecting such notices when they are included in consumer reports. It is not always obvious that a consumer report includes such a notice. While the format of the notice varies among consumer reporting agencies, at least one of the agencies includes only a “yes” or “no” field in its consumer reports, with a “yes” denoting the agency’s determination that there is a substantial difference between the address in the request the agency received and the addresses it has on file for the individual. In addition, the Examination Procedures require financial institutions to verify the effectiveness of any “technology” they use to detect relevant Red Flags. For example, if a financial institution uses software to detect certain patterns of inconsistent account activity, it should verify that the software is effective in detecting those patterns. Covered entities may address this verification process in annual compliance reports required by the Rule.