Editor's Letter - Suspending The Red Flags

The Red Flags Rule became effective Jan. 1, 2008, with full compliance originally expected by the Nov. 1 deadline. However, while conducting outreach efforts throughout 2008 concerning the Red Flags Rule, FTC staff determined that some industries and organizations were uncertain about whether the regulations applied to them. "These entities indicated that they were not aware that they were engaged in activities that would cause them to fall under the FACT Act’s definition of creditor or financial institution," according to a press release issued from the FTC Office of Public Affairs. "Many entities also noted that, because they generally are not required to comply with FTC rules in other contexts, they had not followed or even been aware of the rule making, and therefore learned of the Rule’s requirements too late to be able to come into compliance by Nov. 1, 2008," the FTC explains.

The Red Flags Rule calls for creditors and financial institutions (an explanation of covered entities is available at www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm) to develop, document and implement an "Identity Theft Prevention Program" to safeguard their customers’ personal information. Such programs must include "reasonable policies and procedures for detecting, preventing and mitigating ID theft," allowing financial institutions or creditors to identify patterns, practices and activity that could signal ID theft; detect such red flags; and periodically update the program to reflect changing risks that result from ID theft. (The text of the regulations is available at www.ftc.gov/os/2007/10/r611019redflagsfrn.pdf.)

The delay in enforcement applies to the Identity Theft Red Flags Rule and does not extend to the rule regarding address discrepancies applicable to entities that use consumer reports or to the rule regarding changes of address applicable to card issuers, according to the FTC.

The FTC will use the interim to continue conducting education and outreach efforts regarding the Red Flag Rules, and enforcement actions for violations of 16 CFR 681.2 will not result until after May 1, 2009.

For many of your clients in the financial sector, this is welcome news. And as their information management advisers, your council in helping them understand how this regulation affects them likely would be welcome as well.