FTC Delays Enforcement of “Red Flag” Rule Requiring Identity Theft Prevention Programs

The Federal Trade Commission announced that it will suspend enforcement of the new "Red Flags Rule" until May 1, 2009, to give creditors and financial institutions additional time in which to develop and implement written identity theft prevention programs. The Federal Trade Commission announced that it will suspend enforcement of the new "Red Flags Rule" until May 1, 2009, to give creditors and financial institutions additional time in which to develop and implement written identity theft prevention programs.

The Red Flags Rule, summarized in the November issue of the Municipality, was developed pursuant to the Fair and Accurate Credit Transactions Act (FACTA) of 2003 and requires creditors with covered accounts to have identity theft prevention programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. The deadline was November 1, 2008, but some industries and entities within the FTC's jurisdiction were uncertain about their coverage under the Rule and indicated that they were not aware that they were engaged in activities that would cause them to fall under the FACTA's definition of creditor or financial institution. Many entities also noted that, because they generally are not required to comply with FTC rules in other contexts, they had not followed or even been aware of the rulemaking, and therefore learned of the Rule's requirements too late to be able to come into compliance by November 1, 2008. The Commission announced that it would delay enforcement to enable these entities sufficient time to establish and implement appropriate identity theft prevention programs, in compliance with the Rule.