FTC Extended Enforcement Policy: Identity Theft Red Flags Rule

At the request of several members of Congress, the Federal Trade Commission (the “FTC” or “Commission”) is extending its deferral of enforcement of the Identity Theft Red Flags Rule (“Red Flags Rule” or “the Rule”)¹ until June 1, 2010.

The Rule was promulgated pursuant to the Fair and Accurate Credit Transactions Act (“FACTA”), in which Congress directed the Commission and other agencies to develop regulations requiring “creditors”² and “financial institutions”³ to address the risk of identity theft. The resulting Red Flags Rule requires all such entities that have “covered accounts” to develop and implement written identity theft prevention programs. The identity theft prevention programs must be designed to help identify, detect, and respond to patterns, practices, or specific activities – known as “red flags” –that could indicate identity theft.

The final Red Flags Rule became effective on January 1, 2008, with full compliance for all covered entities originally required by November 1, 2008. Previously, the Commission issued Enforcement Policies delaying the enforcement of the Rule as to entities under its jurisdiction until November 1, 2009.⁴

The Commission staff has continued to provide guidance to entities within its jurisdiction, both through materials posted on the dedicated Red Flags Rule website (www.ftc.gov/redflagsrule), and in speeches and participation in seminars, conferences and other training events to numerous groups. Further, the Commission published a compliance guide for business, and created a template that enables low risk entities to create an identity theft program with an easy-to-use online form.⁵

Staff also has published numerous general and industry-specific articles, released a video explaining the Rule, and continues to respond to inquiries from the public. To assist further with compliance, FTC staff has worked with a number of trade associations that have chosen to develop model policies or specialized guidance for their members.

_____________________________________

 1- 16 C.F.R. 681.1. On November 9, 2007, the Federal Trade Co 1 mmission, the Federal Deposit Insurance Corporation, the Federal Reserve Board, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, and the National Credit Union Administration published a joint notice of final rulemaking in the Federal Register (72 Fed. Reg. 63,718) finalizing the Red Flags Rule regulations and guidelines.

2- In FACTA, Congress imported the definition of creditor from the Equal Credit Opportunity Act (“ECOA”) for purposes of the Fair Credit Reporting Act. This definition covers all entities that regularly permit deferred payments for goods or services. The definition thus has a broad scope and may include entities that have not in the past considered themselves to be creditors. For example, creditors under the ECOA include professionals, merchants, and service providers that regularly provide a product or service for which the consumer pays after delivery.

3- Congress defined a “financial institution” under § 111 of FACTA to include any person that holds a consumer transaction account as defined by § 19(b) of the Federal Reserve Act. The types of financial institutions that fall under the FTC’s jurisdiction include state-chartered credit unions, mutual funds that offer accounts with check-writing privileges, and other entities that offer accounts where the consumer can make payments or transfers to third parties.

4- The Commission’s enforcement policies are available at www.ftc.gov/os/2008/10/081022idtheftredflagsrule.pdf.

5- The online form is available at www.ftc.gov/bcp/edu/microsites/redflagsrule/get-started.shtm.