What is known as the Red Flags Rule was developed under the Fair and Accurate Credit Transactions (FACT) Act. The Red Flags Rule requires financial institutions and creditors with covered accounts to put in place identity theft prevention programs to identify, detect and respond to activities that could indicate identity theft.
The original deadline for compliance was as soon as November 1 - just days away. However, in a recent development, the Federal Trade Commission (FTC) has decided that it will suspend enforcement of the Red Flags Rule until May 1, 2009 to provide financial institutions and creditors extra time to develop and implement identity theft prevention programs.
There likely is a collective sigh of relief - at least for now - among covered entities. They likely appreciate further time to get their identity theft prevention programs in order.
As far as covered entities, financial institutions are deemed those that offer accounts that enable consumers to write checks or to make payments to third parties through other means, including telephone transfers or negotiable instruments.
Creditors are deemed to include any entity that customarily extends, renews or continues credit; any entity that arranges for credit; and any assignee of a creditor that becomes involved in the decision to extend, renew or continue credit. Simply accepting credit cards does not by itself make an entity a creditor for purposes of the Red Flags Rule. Examples of creditors can include finance companies, mortgage brokers and automobile dealers.
One of the primary reasons that the FTC decided to delay enforcement of the Red Flags Rule is that it learned through outreach efforts that some industries and entities were unclear that they were within the ambit of the Rule. Accordingly, and because many of them are not required to comply with FTC rules in other contexts, some of them had not made efforts yet to come into compliance by the time of the original November 1 deadline.
Of course now the FTC, having provided a six-month extension, likely will be less sympathetic later to any lack of compliance by covered entities. For any covered entity that is not yet in compliance with the Red Flags Rule, now is the time to get moving. The new deadline will be here in a heartbeat.
Eric Sinrod is a partner in the San Francisco office of Duane Morris LLP where he focuses on litigation matters of various types, including information technology and intellectual property disputes.
His website is http://www.sinrodlaw.com and he can be reached at [email protected]. To receive a weekly email link to Mr. Sinrod's columns, please send an email to him with Subscribe in the Subject line.
This column is prepared and published for informational purposes only and should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author's law firm or its individual partners.