Editor's Letter - Suspending The Red Flags

 Just before the Federal Trade Commission (FTC) was due to begin enforcement of the Identity Theft Red Flags Rule, 16 CFR 681.2, under the Fair and Accurate Credit Transactions Act (FACTA) Nov. 1, 2008, the agency announced that it would suspend enforcement until May 1, 2009. The suspension was issued to give financial institutions more time to develop and enact written ID theft prevention programs.

The Red Flags Rule became effective Jan. 1, 2008, with full compliance originally expected by the Nov. 1 deadline. However, while conducting outreach efforts throughout 2008 concerning the Red Flags Rule, FTC staff determined that some industries and organizations were uncertain about whether the regulations applied to them. "These entities indicated that they were not aware that they were engaged in activities that would cause them to fall under the FACT Act’s definition of creditor or financial institution," according to a press release issued from the FTC Office of Public Affairs. "Many entities also noted that, because they generally are not required to comply with FTC rules in other contexts, they had not followed or even been aware of the rule making, and therefore learned of the Rule’s requirements too late to be able to come into compliance by Nov. 1, 2008," the FTC explains.

The Red Flags Rule calls for creditors and financial institutions (an explanation of covered entities is available at www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm) to develop, document and implement an "Identity Theft Prevention Program" to safeguard their customers’ personal information. Such programs must include "reasonable policies and procedures for detecting, preventing and mitigating ID theft," allowing financial institutions or creditors to identify patterns, practices and activity that could signal ID theft; detect such red flags; and periodically update the program to reflect changing risks that result from ID theft. (The text of the regulations is available at www.ftc.gov/os/2007/10/r611019redflagsfrn.pdf.)

The delay in enforcement applies to the Identity Theft Red Flags Rule and does not extend to the rule regarding address discrepancies applicable to entities that use consumer reports or to the rule regarding changes of address applicable to card issuers, according to the FTC.

The FTC will use the interim to continue conducting education and outreach efforts regarding the Red Flag Rules, and enforcement actions for violations of 16 CFR 681.2 will not result until after May 1, 2009.

For many of your clients in the financial sector, this is welcome news. And as their information management advisers, your council in helping them understand how this regulation affects them likely would be welcome as well.

Read Next

Calendar of Events

February 2009
Explore the February 2009 Issue

Check out more from this issue and find your next story to read.