Citing Congressional requests and pending legislative changes, the Federal Trade Commission (FTC) again delayed the enforcement date for their "Red Flags" Rules. Originally, enforcement was to begin next week, on June 1, 2010, but has been delayed through December 31, 2010.
In its release on the subject, Commission Chief Jon Leibowitz urged Congress to act quickly in passing legislation that limits the scope of the Rules, which are designed to require "creditors" and "financial institutions" to address the risk of identity theft. "Congress needs to fix the unintended consequences of the legislation establishing the 'Red Flags' Rules -- and to fix this problem quickly. We appreciate the efforts of Congressmen Barney Frank and John Adler for getting a clarifying measure passed in the House, and hope action in the Senate will be swift," said Leibowitz. "As an agency we're charged with enforcing the law, and endless extensions delay enforcement."
The FTC warned, however, that the enforcement date could be moved up, should legislation be passed with a new date. "If Congress passes legislation limiting the scope of the Red Flags Rules with an effective date earlier than December 31, 2010, the Commission will begin enforcement as of that effective date," said the FTC in a statement.
NACM has continued to cover the "Red Flags" Rules, and the ways they might affect business creditors, in Business Credit magazine, NACM's weekly eNews, and on its blog.
Below is a full copy of the release posted on the FTC's website. Stay tuned to NACM for any more updates:
FTC Extends Enforcement Deadline for Identity Theft Red Flags Rules
At the request of several Members of Congress, the Federal Trade Commission is further delaying enforcement of the "Red Flags" Rules through December 31, 2010, while Congress considers legislation that would affect the scope of entities covered by the Rules. Today's announcement and the release of an Enforcement Policy Statement do not affect other federal agencies' enforcement of the original November 1, 2008 deadline for institutions subject to their oversight to be in compliance.
"Congress needs to fix the unintended consequences of the legislation establishing the Red Flags Rules -- and to fix this problem quickly. We appreciate the efforts of Congressmen Barney Frank and John Adler for getting a clarifying measure passed in the House, and hope action in the Senate will be swift," FTC Chairman Jon Leibowitz said. "As an agency we're charged with enforcing the law, and endless extensions delay enforcement."
The Rules were developed under the Fair and Accurate Credit Transactions Act, in which Congress directed the FTC and other agencies to develop regulations requiring "creditors" and "financial institutions" to address the risk of identity theft. The resulting Red Flags Rules require all such entities that have "covered accounts" to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities -- known as "red flags" -- that could indicate identity theft.
The Rules became effective on January 1, 2008, with full compliance for all covered entities originally required by November 1, 2008. The Commission has issued several Enforcement Policies delaying enforcement of the Rules. Most recently, the Commission announced in October 2009 that at the request of certain Members of Congress, it was delaying enforcement of the Rules until June 1, 2010, to allow Congress time to finalize legislation that would limit the scope of business covered by the Rules. Since then, the Commission has received another request from Members of Congress for another delay in enforcement of the Rules beyond June 1, 2010.
The Commission urges Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered by the Rules and obviate the need for further enforcement delays. If Congress passes legislation limiting the scope of the Red Flags Rules with an effective date earlier than December 31, 2010, the Commission will begin enforcement as of that effective date.
In the interim, FTC staff has continued to provide guidance, both through materials posted on www.ftc.gov/redflagsrule, and in speeches and participation in seminars, conferences and other training events to numerous groups. The FTC also published a compliance guide for business, and created a template that enables low risk entities to create an identity theft program with an easy-to-use online form (www.ftc.gov/bcp/edu/microsites/redflagsrule/get-started.shtm). The FTC staff also has published numerous general and industry-specific articles, released a video explaining the Rules, and continues to respond to inquiries from the public. To assist further with compliance, FTC staff has worked with a number of trade associations that have chosen to develop model policies or specialized guidance for their members.
As was the case previously, this enforcement delay is limited to the Red Flags Rules and does not extend to the rule regarding address discrepancies applicable to users of consumer reports (16 C.F.R.§641), or to the rule regarding changes of address applicable to card issuers (16 C.F.R.§681.2).
For questions regarding this Enforcement Policy, please contact Naomi Lefkovitz or Pavneet Singh, Bureau of Consumer Protection, 202-326-2252.