Red Flags Rule Scheduled to Take Effect June 1, 2010
After four extensions in its enforcement date, the Red Flags Rule (the “Rule”) is scheduled to take effect on June 1, 2010 for creditors and other financial institutions subject to enforcement by the Federal Trade Commission. The most recent extension occurred on October 30, 2009, when the FTC, at the request of Congress, extended enforcement of the Red Flags Rule until June 1, 2010. The Red Flags Rule, however, went into effect on November 1, 2008, for financial institutions regulated by the federal bank regulatory agencies.
The Red Flags Rule requires covered entities to develop and implement a written Identity Theft Prevention Program designed to detect, prevent, and mitigate identity theft. The Program must be reviewed and updated periodically to take into account incidents of identity theft and new trends that may arise.
The FTC has delayed the enforcement of the Red Flags Rule several times to give businesses, particularly smaller businesses that may not have realized they were subject to the Rule, time to comply. Several categories of businesses — in particular, law firms, accountants and physicians — have independently challenged the applicability of the Rule to their industries. For example, the FTC specifically stated that law firms were subject to the Red Flags Rule. As a result, the ABA filed a lawsuit in federal court, and the court granted the ABA’s request for an injunction and issued a declaratory judgment finding that lawyers were not covered by the Rule. The decision is currently on appeal.
Accountants similarly filed a lawsuit in November 2009 in federal court in the District of Columbia, but the court has not yet ruled. In addition, the FTC rejected a formal request of the AMA for an exemption from the Rule for physicians and medical providers.
A bill currently pending in Congress would carve out an exemption for many medical providers and other smaller creditors. Essentially, the bill would exclude any health care practice, accounting practice, or legal practice with 20 or fewer employees from the meaning of the term “creditor,” subject to Red Flag Rule. If the bill passes, it would also exclude any other business which the FTC determines: (1) knows all its customers or clients individually; (2) only performs services in or around the residences of its customers; or (3) has not experienced incidents of identity theft, and identity theft is rare for businesses of that type. This bill has passed the full House and is pending in the Senate. It is unclear when a Senate vote will be held on the bill.
Because of the confusion surrounding the Rule when it was initially enacted, the FTC has developed several resources and on-line tools, especially targeted at small businesses. These are available at http://ftc.gov/redflagsrule. For instance, the FTC has created a sample red flags policy for businesses that are considered to have a low risk of identity theft, and the FTC has also published an extensive list of “frequently asked questions,” to guide businesses on issues ranging from coverage and compliance and enforcement.
Businesses that have not yet developed a written Identity Theft Prevention Program are encouraged to do so before the June 1, 2010 enforcement date.
This is one in a series of advisories regarding the “Red Flags Rule.” If you have questions or would like copies of previous advisories related to this topic, please contact David N. Anthony or Paige S. Fitzgerald. Troutman Sanders LLP offers a full array of services to help bring companies into compliance with the Red Flags Rule.