The Federal Trade Commission (FTC) recently announced that it is postponing implementation of the Red Flags Rule until November 1, 2009, in order to provide businesses with more education about compliance with the Rule.
The Federal Trade Commission (FTC) recently announced that it is postponing implementation of the Red Flags Rule until November 1, 2009, in order to provide businesses with more education about compliance with the Rule. This will include additional resources and guidance to clarify whether businesses are covered by the Rule and, if so, what they must do to comply.
The Red Flags Rule is an anti-fraud regulation. It was jointly issued by several federal agencies to implement sections 114 and 315 of the Fair and Accurate Credit Transactions Act and is enforced by the FTC.
The Red Flags Rule has two major requirements. The first requires businesses and organizations that use consumer reports to implement policies and procedures when a consumer reporting agency sends the user a notice of address discrepancy. This requirement is currently being enforced. The second requires creditors and financial institutions with covered accounts to implement written Identity Theft Prevention Programs. The program should detect "red flags" of identity theft in the company's daily operations, implement steps to prevent identity theft, and mitigate damage identity theft causes. Enforcement of this requirement has been postponed.
Under the Red Flags Rule, the term "creditor" has a broad definition and includes any businesses or organizations that regularly defer payments for goods or services or provide goods or services and bill customers later. It also includes businesses that regularly grant loans or extend credit or arrange for the extension of loans or credit, such as car dealerships, mortgage brokers, real estate agents, and retailers that offer financing.
Doctors, lawyers and other professionals have criticized the FTC's broad interpretation of the term "creditor" as including businesses that bill clients some time after providing services. In the press release announcing the delay of implementation of the Red Flags Rule, the FTC noted that some entities, particularly small businesses and entities with a low risk of identity theft, remain uncertain about their obligations. According to the press release, the additional guidance the FTC plans to make available is designed to help these entities.
The FTC has already posted FAQs that address how it intends to enforce the Red Flags Rule and other topics – www.ftc.gov/bcp/edu/microsites/redflagsrule/faqs.shtm. The enforcement FAQ states that Commission staff would be unlikely to recommend bringing a law enforcement action if entities know their customers or clients individually, or if they perform services in or around their customers' homes, or if they operate in sectors where identity theft is rare and they have not themselves been the target of identity theft.
More information regarding the Red Flags Rule can be found on the FTC's website at www.ftc.gov/redflagsrule. If you have questions regarding whether your business or organization is required to implement an Identity Theft Prevention Program or need assistance in developing such a program, you can contact the author of this alert, Jade Cobb, at 864-699-1145, jcobb@fordharrison.com, or the Ford & Harrison attorney with whom you usually work.