“Red Flags” Rule Delayed Again

Just days away from the Aug. 1 implementation deadline, the Federal Trade Commission (FTC) announced July 29 it will further delay enforcement of the Identify Theft Red Flags Rule. Creditors and financial institutions now have until Nov.1 to develop and implement a written Identity Theft Prevention Program.

During the three-month extension, the FTC said it will redouble its efforts to educate small businesses and other entities about compliance with the Rule and ease compliance by providing additional resources and guidance.

The Rule—mandated by the Fair and Accurate Credit Transactions Act of 2003 (FACTA)—is an anti-fraud regulation, requiring “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect, and respond to the warning signs, or “red flags,” that could indicate identity theft.

FACTA’s definition of “creditor” includes any entity regularly extending or renewing credit—or arranging for others to do so—and includes all entities regularly permitting deferred payments for goods or services. Note that accepting credit cards as a form of payment does not, by itself, make an entity a creditor.

The FTC’s Red Flags Web site offers resources to help entities determine if they are covered and how to comply with the Rule. It includes an online compliance template that enables companies to design their own Identity Theft Prevention Program, as well as articles directed to specific businesses and industries, guidance manuals, and Frequently Asked Questions to help companies navigate the Rule.