FTC Announces Delay in Enforcement of the Red Flags Rule

The Federal Trade Commission announced yesterday that it will delay enforcement of the "Red Flags" Rule (the "Rule") for another three months, until November 1, 2009. Prior to this announcement, the Rule was to be enforced beginning August 1, 2009. In response to some confusion regarding the applicability of the Rule to certain entities and industries, the FTC is delaying enforcement in order to "give creditors and financial institutions more time to review [forthcoming FTC] guidance and develop and implement written Identity Theft Prevention Programs."

The FTC Extended Enforcement Policy notes that the Rule applies to "all entities that regularly permit deferred payments for goods or services including entities such as health care providers, attorneys, and other professionals, as well as retailers and a wide range of business that invoice their customers."  Through additional guidance the FTC intends to clarify whether certain businesses are covered by the Rule and what covered entities must do to comply, such as adopting identity theft prevention programs that are designed to "identify, detect, and respond to patterns, practices, or specific activities - known as ‘red flags' - that could indicate identity theft."

This enforcement delay applies to entities that are subject to administrative enforcement of the Fair Credit Reporting Act by the FTC. The Extended Enforcement Policy cautions that this delay does not extend to rules regarding address discrepancies applicable to users of consumer reports or changes of address applicable to card issuers, nor does it affect other federal agencies' enforcement of the original November 1, 2008, compliance deadline for institutions subject to their oversight.