October 27, 2008

FTC DELAYS IDENTITY THEFT “RED FLAGS”
RULE ENFORCEMENT FOR SIX MONTHS

The Federal Trade Commission (FTC) has announced it will delay the enforcement of the Identity Theft Red Flags Rule (Rule) until May 1, 2009. This will give creditors and financial institutions regulated by the FTC additional time to comply with the Rule, which was to have taken effect on November 1, 2008.

The FTC’s decision, announced on October 22, is limited in scope. It does not affect creditors and financial institutions under the jurisdiction of the federal banking regulatory agencies or the National Credit Union Administration (NCUA). Further, it does not extend the deadline beyond November 1 for users of consumer reports and credit and debit card issuers to develop certain policies and procedures. Consumer report users must still implement policies and procedures for handling notices of address discrepancies; and credit and debit card issuers must still implement policies and procedures for handling a change of address request from a customer that is followed closely by a request for another card.

FTC Learned Some Industries and Entities Were Unaware, Unready

The Identity Theft Red Flags Rule was jointly issued by various federal agencies1 on November 9, 2007, under the Fair and Accurate Credit Transaction Act (FACTA). The Rule requires creditors and financial institutions to develop and implement written identity theft prevention programs designed to identify, detect and respond to identity theft “red flags” – i.e., certain patterns, practices or activities that might indicate an attempt at identity theft. Although the final Rule became effective on January 1, 2008, all covered entities were initially given until November 1, 2008, to approve and implement an initial written Red Flags program.

During its education and outreach efforts following publication of the Rule, the FTC staff learned that some industries and entities were not aware of the rulemaking, nor were they aware that their activities would qualify them as a “creditor” or a “financial institution.”

With the deadline less than two weeks away, many organizations were still seeking guidance from the FTC, and it became clear they would not be able to comply by the November 1 deadline. The FTC determined that delaying the enforcement date would “allow these entities to take the appropriate care and consideration in developing and implementing their programs.”2

The confusion related to the broad definition of the terms “creditor” and “financial institution.” Under FACTA, a creditor is broadly defined as “any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit.”3 The FTC has stated that “any person that provides a product or service for which the consumer pays after delivery is a creditor.”4 Likewise, the FTC’s broad list of examples of creditors includes not only “finance companies, automobile dealers, mortgage brokers, utility companies, telecommunications companies,” but also “non-profit and government entities that defer payment for goods or services.”5 This definition sweeps in entities that normally are not required to comply with FTC rules.

Similarly, FACTA defines a financial institution as “a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a ‘transaction account’ belonging to a consumer.”6 Most of these institutions are regulated by the federal banking agencies or the NCUA and are therefore not affected by the delay. However, financial institutions that are subject to the FTC’s jurisdiction are covered by this broad definition. Such institutions include “state-chartered credit unions and certain other entities that hold consumer transaction accounts.”7 Examples of “certain other entities” that hold consumer transaction accounts include: 1) mutual funds that allow checks to be drawn on the account and 2) universities that offer debit cards.

Red Flags Rule Compliance

Because the Rule applies to a broad range of entities, it is designed to be flexible. Creditors and financial institutions are to develop identity theft prevention programs that are appropriate for their size, complexity and the nature of their operations. Such programs must include reasonable policies and procedures for detecting the warning signs – i.e., “red flags”8 – indicating possible identity theft, such as unusual account activity, consumer report fraud alerts, and suspicious account application documents. In addition, the programs must be in written form and must be administered by the board of directors, a committee designated by the board of directors or a designated employee at the senior management level.

Enforcement Delay Should Give Sufficient Time to Prepare

The six-month delay of enforcement of the Identity Theft Red Flags Rule should allow sufficient time for entities to determine whether they are covered by the Rule and to develop an identity theft prevention program that will comply with the Rule.

1 Office of the Comptroller of the Currency, Federal Reserve System, Federal Deposit Insurance Corporation, Office of Thrift Supervision, National Credit Union Administration, and FTC.
2 http://ftc.gov/os/2008/10/081022idtheftredflagsrule.pdf.
3 15 U.S.C. § 1691a(e).
4 http://ftc.gov/os/2008/10/081022idtheftredflagsrule.pdf.
5 http://ftc.gov/opa/2008/10/redflags.shtm.
6 15 U.S.C. § 1681a(t). This definition includes "any other person that, directly, or indirectly, holds a transaction account," as defined under 12 U.S.C. § 461(b).
7 http://www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm (emphasis added).
8 The FTC has identified 26 examples of such red flags.