FTC Extends Enforcement Date of Red Flags Rule to August 1

On April 30th, in a surprising move, the Federal Trade Commission (the "FTC") extended its deferral of enforcement of the Red Flags Rule until August 1, 2009. This marks the second extension by the FTC. The Red Flags Rule's mandatory enforcement date was originally November 1, 2008. However, the FTC suspended enforcement of the Rule until May 1, 2009. The FTC explained that this second extension is in response to ongoing questions from some sectors - particularly smaller entities that are subject to a low risk of identity theft that "continue to have questions and concerns about the specific obligations they must meet and the burden of complying with the rule."¹

The FTC has estimated that there are more than 1.6 million low-risk entities that will be required to comply with the Red Flags Rule.² The Red Flags Rule requires that "financial institutions" and "creditors" that offer or maintain "covered accounts," develop and implement a program to identify, detect, and respond to identity theft (the "Program"). The FTC intends to publish a guidance to assist low-risk entities in complying with the rule.

If you are interested in learning more about Red Flags Rule policies, training, or sample language, please contact those listed below, or your regular Crowell & Moring contact.

---

¹ FTC Extended Enforcement Policy: Identity Theft Red Flags Rule, 16 CFR 681.1
² 74 Fed. Reg. 18709, 18711 (April 24, 2009).