The Federal Trade Commission (the “FTC” or “Commission”) is extending further its deferral of enforcement of the Identity Theft Red Flags Rule to November 1, 2009.1 This rule was promulgated pursuant to § 114 of the Fair and Accurate Credit Transactions Act (“FACTA”). Congress directed the Commission and other agencies to develop regulations requiring “creditors”2 and “financial institutions”3 to address the risk of identity theft. The resulting Identity Theft Red Flags Rule requires all such entities that have “covered accounts” to develop and implement written identity theft prevention programs.
The identity theft prevention programs must be designed to help identify, detect, and respond to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft. This rule applies to all entities that regularly permit deferred payments for goods or services, including entities such as health care providers, attorneys, and other professionals, as well as retailers and a wide range of businesses that invoice their customers.
The final rule became effective on January 1, 2008, with full compliance for all covered entities originally required by November 1, 2008. During the course of the Commission’s education and outreach efforts following publication of the rule, a number of industries and entities within the FTC’s jurisdiction expressed confusion and uncertainty about their coverage by and/or obligations under the rule. Owing to this confusion, the Commission issued an Enforcement Policy on October 22, 2008, delaying enforcement of the rule as to the entities under its jurisdiction by six months, until May 1, 2009. For similar reasons, the Commission issued another Enforcement Policy on April 30, 2009, deferring enforcement until August 1,
2009.4
During this time, Commission staff has continued to provide guidance, both through materials posted on the dedicated Red Flags Rule website (www.ftc.gov/redflagsrule), and in speeches and participation in seminars, conferences and other training events to numerous groups. Further, the Commission published a compliance guide for business, and created a template that enables low risk entities to create a Program with an easy-to-use online form (www.ftc.gov/bcp/edu/microsites/redflagsrule/get-started.shtm). Staff also has published numerous general and industry-specific articles and continues to respond to inquiries by telephone and email through a dedicated email box ([email protected]). To assist further with compliance, FTC staff has worked with a number of trade associations that have chosen to develop model policies or specialized guidance for their members.
Although many covered entities have developed and implemented appropriate, risk-based programs since the Commission promulgated the final rule, some covered entities, particularly small businesses and entities with a low risk of identity theft, remain uncertain about their compliance obligations. 5 In order to assist these small and low risk entities with compliance under the Rule, the Commission staff will shortly make available additional resources and guidance.6 Among other things, Commission staff will create a special link for small and low risk entities on the www.ftc.gov/redflagsrule site with materials that provide guidance and direction regarding the rule. This extension, coupled with the release of guidance directed to small and low risk entities, should enable these entities to gain a better understanding of the Rule
and any obligations that they may have under it.
The Commission believes, therefore, that immediate enforcement of the rule on August 1, 2009, would not further the exercise of good public policy, and that an additional three month extension is warranted. Accordingly, the Commission is extending its forbearance for bringing any enforcement action for violation of the Identity Theft Red Flags Rule, 16 CFR 681.1, against a financial institution or creditor that is subject to administrative enforcement of the Fair Credit Reporting Act by the FTC, for an additional three months, from August 1, 2009, until November 1, 2009.
This delay in enforcement is limited to the Identity Theft Red Flags Rule (16 CFR 681.1) and does not extend to the rule regarding address discrepancies applicable to users of consumer reports (16 CFR 641), or to the rule regarding changes of address applicable to card issuers (16 CFR 681.2).
For questions regarding this enforcement policy, please contact Naomi Lefkovitz, Bureau of Consumer Protection, 202-326-2252, or email [email protected].
Source: FTC [pdf]