This morning, the Federal Trade Commission (FTC) announced it will delay (again) enforcement of the new “Red Flags Rule,” now until August 1, 2009 to give affected entities more time to comply. In the press release, FTC Chairman Jon Leibowitz said:
“Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further.”
The Fair and Accurate Credit Transactions Act of 2003 (FACTA) directed financial regulatory agencies, including the FTC, to promulgate rules requiring “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. FACTA’s definition of “creditor” applies to any entity that regularly extends or renews credit – or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services. The FTC release points out that accepting credit cards as a form of payment does not, by itself, make an entity a creditor.
The news Release states that for entities that have a low risk of identity theft, such as businesses that know their customers personally, the FTC will be releasing templates to help them comply with the law. The FTC also already has a number of materials posted to help explain what types of entities are covered by the FTC Red Flag Rules and to provide guidance. See: www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm and www.ftc.gov/redflagsrule.