FTC Announces Fourth Extension of Red Flags Rule Enforcement

The Federal Trade Commission (the "FTC") has announced that it will postpone enforcement of the Red Flags Rule¹ until June 1, 2010 for financial institutions and creditors that are subject to FTC oversight. This is the fourth time that the FTC has extended the enforcement timeline. While the Red Flags Rule became effective on January 1, 2008, and the mandatory enforcement date was originally November 1, 2008, the FTC subsequently suspended enforcement of the Rule until May 1, 2009 and then again until August 1, 2009.²

The Red Flags Rule requires financial institutions and creditors to look for "red flags" that signal possible identity theft. In its last extension, the FTC announced that it intended to provide assistance to small businesses and entities with a low risk of identity theft. The FTC has continued to provide guidance, including through materials posted on its Red Flags Rule website³ and in other media. The FTC has also established a template that enables low-risk entities to create identity theft programs within a prescribed format.

This most recent extension came after the House of Representatives passed a bill that would exempt certain facilities and other entities from the Rule, including healthcare, legal, and accounting practices that employ fewer than 20 individuals. Since the Senate has yet to act on the measure, House members were prompted to request this fourth extension in order to avoid imposing the Rule on entities that may, following legislation, be exempt from compliance.

Please let us know if you have any questions or if we can help you in crafting a compliant program.

---

¹ 72 Fed. Reg. 63717, 63771-63775 (Nov. 9, 2007) (codified at 16 C.F.R. Part 681).
² The enforcement delay does not apply to the address discrepancy and credit card issuer rules. These rules are not addressed in this Health Law Alert.
³ www.ftc.gov/redflagsrule