At the request of several members of Congress, the Federal Trade Commission is again delaying enforcement of the “Red Flags” Rule - this time through the end of the year while Congress considers legislation that would affect which entities are covered by the rule, according to an FTC statement.
The rule emerged from the Fair and Accurate Credit Transactions Act, in which Congress directed the FTC and other agencies to develop regulations requiring “creditors” and “financial institutions” to address the risk of identity theft.
The rule requires certain institutions to develop and implement written identity theft prevention programs to help detect and respond to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft. It became effective on Jan. 1, 2008, with full compliance for all covered entities originally required by Nov. 1, 2008.
The FTC has issued several enforcement policies delaying enforcement of the rule. Most recently, the FTC announced in October 2009 that at the request of certain members of Congress, it was delaying enforcement of the rule until today, June 1, 2010, to allow Congress time to finalize legislation that would limit the scope of business covered by the rule.
The latest announcement about a delay and the release of an Enforcement Policy Statement do not affect other federal agencies’ enforcement of the original Nov. 1, 2008 deadline for institutions subject to their oversight to be in compliance.
“Congress needs to fix the unintended consequences of the legislation establishing the Red Flags Rule – and to fix this problem quickly. We ... hope action in the Senate will be swift,” FTC Chairman Jon Leibowitz said in a prepared statement. “As an agency we’re charged with enforcing the law, and endless extensions delay enforcement.”
The FTC wants Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered, according to a statement.
The FTC has continued to provide guidance about the rule through speeches and participation in seminars, conferences and other training events to numerous groups. The FTC also published a compliance guide for business, and created a template that enables low risk entities to create an identity theft program with an easy-to-use online form.