On April 30, 2009, the Federal Trade Commission (FTC) announced a three-month delay in FTC enforcement of the "Red Flags Rule," which was set to go into effect May 1. The rule requires certain financial institutions and creditors to develop and implement Identity Theft Prevention Programs to prevent, detect, and mitigate identity theft in connection with certain covered accounts. See 16 C.F.R. § 681.2. Under the new timetable, those financial institutions and creditors subject to the FTC's enforcement jurisdiction under the Fair Credit Reporting Act will have until August 1, 2009, to achieve compliance. For entities with a low risk of identity theft, such as businesses that know their customers personally, the Commission will soon release a template to help them comply with the law.
The extension was necessary in part because of the expansive reach of the rule, which applies to any entity that regularly extends or renews credit or arranges for others to do so, and includes all entities that regularly permit deferred payments for goods or services. Examples of creditors covered by the rule are finance companies; automobile dealers that provide or arrange financing; mortgage brokers; utility companies; telecommunications companies; non-profit and government entities that defer payment for goods or services; and businesses that provide services and bill later, including many lawyers, doctors, and other professionals. According to the FTC's press release explaining the decision to delay the rules, FTC staff learned through outreach efforts that some industries and entities within the agency's jurisdiction were uncertain about their coverage under the Red Flags Rule. FTC Chairman Jon Leibowitz explained: "Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further."
It is important to note that enforcement of the "Red Flags Rule" for financial institutions and creditors regulated by the federal bank regulatory agencies or the National Credit Union Administration is already in effect and has not been extended by those agencies.