The Federal Trade Commission (FTC) announced on Oct. 22, 2008, that it is delaying enforcement of the identity theft “Red Flag Rules” until May 1, 2009. This six-month delay grants healthcare and telecommunications providers and other organizations that are subject to the FTC's jurisdiction additional time to establish and implement identity theft detection, prevention, and mitigation programs that comply with the requirements of the rules, which are found at 16 C.F.R. § 681.2.
As published, the Red Flag Rules required financial institutions and creditors to develop and implement a written identity theft prevention program by Nov. 1, 2008. The FTC indicated that the decision to suspend enforcement of the Red Flag Rules until May of next year was based on reports that some entities had not been aware that their activities would cause them to be considered “creditors” or “financial institutions.” These entities informed the FTC that they did not have sufficient time to develop their identity theft prevention programs by the Nov. 1, 2008 compliance date.
The FTC stated that it believes that immediate enforcement of the Red Flag Rules “would be neither equitable for the covered entities nor beneficial to the public” and that delaying enforcement of the rules “will allow these entities to take the appropriate care and consideration when developing and implementing their programs.” (See the FTC's Enforcement Policy Statement and press release.)
The delay in enforcement of the Red Flag Rules only applies to financial institutions and creditors that are subject to administrative enforcement of the Fair Credit Reporting Act by the FTC. It does not affect other federal agencies' enforcement of the original Nov. 1, 2008, deadline for institutions subject to their oversight. The other agencies that have not extended their deadlines are the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, and the National Credit Union Administration. Also, the delay does not apply to the other regulations promulgated with the Red Flag Rules that address the duties of users of consumer reports regarding “address discrepancies” or the duties of debit or credit card issuers regarding changes of address.
This extension provides an ideal opportunity for organizations to engage in a deliberate and careful process to develop and implement their identity theft prevention programs. As this is likely to be a lengthy process, we encourage our clients who are subject to the Red Flag Rules, including many telecommunications and healthcare providers, to begin or continue their Red Flag compliance efforts as soon as possible to meet the May 1, 2009, deadline. Please let us know if you have any questions or would like us to assist you in creating or administering an identity theft prevention program.
Previous advisory bulletins:
Additional information about the applicability and requirements of the Red Flag Rules may be found in previous advisory bulletins issued by Davis Wright Tremaine LLP:
“‘Red Flag' Identity Theft Programs,” John D. Seiver and Ronald G. London, July 2008
“Health Care Providers: Don't Miss the Red Flags,” Rebecca L. Williams and Brent R. Eller, August 2008
Davis Wright Tremaine would like to thank associate Megan Vogel for contributing to this advisory.