At Last Minute, FTC Postpones Enforcement Of Red Flags Rule

If you've been burning the midnight oil to meet the federal government's new regulations for the handling of personal data, then relax. You have an extension on the deadline.

The Federal Trade Commission late yesterday said it will delay enforcement of the new "Red Flags Rule" -- which had been scheduled to go into effect today -- until Aug. 1, "to give creditors and financial institutions more time to develop and implement written identity theft prevention programs."

The FTC also said it will soon release a template for companies that have lower risk of identity theft -- such as those that know their customers personally -- to help them comply with the law.

"Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further," said FTC Chairman Jon Leibowitz in a statement.

The Fair and Accurate Credit Transactions Act of 2003 (FACTA) directed financial regulatory agencies, including the FTC, to implement rules requiring "creditors" and "financial institutions" with covered accounts to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft.

FACTA's definition of "creditor" applies to any entity that regularly extends or renews credit -- or arranges for others to do so -- and includes all entities that regularly permit deferred payments for goods or services, including small businesses, such as doctors and lawyers. Accepting credit cards as a form of payment does not, by itself, make an entity a creditor.

"Financial institutions" include entities that offer accounts that enable consumers to write checks or make payments to third parties through other means, including telephone transfers.

During the agency's Red Flag outreach last year, the FTC learned that some industries and entities within its jurisdiction were uncertain about their coverage under the Red Flags Rule. During this time, FTC staff developed and published materials to help explain what types of entities are covered, and how they might develop their identity theft prevention programs. The FTC now offers a Website to help clarify the rule.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.