Consumer Law - FTC Postpones Red Flags Rule Compliance
In response to multiple inquiries and confusion over the applicability of the Red Flags Rule, the FTC has just announced that it will suspend enforcement of the Rule until May 1, 2009 (extended from the original November 1, 2008 enforcement
date). This action will provide creditors and financial institutions with additional time in which to develop and implement an identity theft prevention program that conforms to the Red Flags Rule. The FTC has stated
that it will forebear from bringing any enforcement action for violation of the Rule during this six-month period. The FTC's announcement, however, makes clear that it applies only to entities subject to its jurisdiction.
It is unclear, however, whether the other agencies charged with overseeing enforcement of this Rule―the Office of the Comptroller of the Currency, Federal Reserve Board, Federal Deposit Insurance Corporation, Office of Thrift
Supervision, and the National Credit Union Administration―will announce a similar extension of the November 1, 2008 compliance date.
The Red Flags Rule resulted from the Fair and Accurate Credit Transactions Act of 2003, which amended the Fair Credit Reporting Act, and requires covered entities to develop and implement a written Identity Theft Prevention
Program designed to detect, prevent, and mitigate identity theft. Many entities subject to the Rule noted that because they generally are not required to comply with FTC rules in other contexts, they had not followed or even
been aware of the rulemaking, and therefore learned of the requirements of the rule too late to be able to come into compliance by November 1, 2008. During the six-month extension period, the FTC has stated that it will conduct
additional education and outreach regarding the Rule.