The Federal Trade Commission (FTC) has delayed the implementation deadline of its “Red Flags Rule” to May 1, 2009. Creditors and financial institutions were initially required to have policies for identifying, detecting and responding to patterns that could indicate identity theft by November 1, 2008. The delay is to allow affected companies to have more time to develop, have the board of directors or senior management approve and implement written identity theft prevention programs.
The Red Flags Rule was instituted under the Fair and Accurate Credit Transactions (FACT) Act of 2003.
Despite outreach efforts that began last year to explain and educate companies about the types of entities covered by the rules, confusion has persisted. The FTC’s staff became aware that some industries and entities under the FTC’s jurisdiction were uncertain about their coverage under the guidelines and were not aware that they engaged in activities that would cause them to fall under the FACT Act’s definitions of “creditor” or “financial institution.” Other companies indicated that since they had historically not been subject to the FTC’s jurisdiction, they were not aware of the rulemaking and therefore learned of the Red Flags Rule too late to be in compliance by the November 1 deadline.
To view a copy of the FTC’s release about the delay, and for more information, click here.