FTC Won't Enforce ID Theft Red Flags Rule Until May 1

Six-Month Delay Gives Break to State-Chartered Credit Unions, Non-Banking Creditors
FTC Won't Enforce ID Theft Red Flags Rule Until May 1
The Federal Trade Commission (FTC) announced this week it will suspend enforcement of the new Identity Theft Red Flags Rule until May 1, 2009 - six months beyond the original Nov. 1 deadline.

This move will give non-banking creditors and state-chartered credit unions additional time to develop and implement written identity theft prevention programs. FTC observers saw that many industry segments were unaware of the compliance date, hence the six-month pushback of enforcement. (See the FTC Statement on Enforcement.)

Betsy Broder, Assistant Director in FTC's Division of Privacy and Identity Protection, says recent statistics from the paperwork reduction act suggest that the FTC has 11 million creditors that would fall under the agency's watchful eye, including automobile dealers, public utilities and other businesses that rely heavily on personally identifiable information. "Congress set a pretty broad definition of creditor as well when borrowing the term from the equal credit opportunity act -- this is why the reach is so great," Broder says.

Reasons for the pushback in the enforcement date are stated simply by Broder as, "We wanted to do the right thing. We tried to be as transparent as possible in our policy statement. We heard from lots of organizations and industries that said they weren't aware of their need to develop an ID Theft Prevention Program.

The Credit Union National Association (CUNA) says as of now only state-chartered credit unions will be affected, as they fall under the FTC's rules. Federal credit unions overseen by the National Credit Union Administration (NCUA) still must be compliant by Nov. 1, according to John McKechnie, the NCUA media spokesperson.

The FTC's delay does not apply to address discrepancy rules that were issued at the same time as the red flags rule.

The FTC's announcement also does not affect other federal agencies' enforcement of the original Nov. 1, 2008 deadline for financial institutions subject to their oversight.

Why the Delay?
The FTC's decision to push back the enforcement date began with its outreach efforts to explain the rule to the many different types of entities that are covered by it. Examples of businesses and organizations that said they weren't ready included utilities, certain healthcare providers, and higher education organizations. Most of those entities that aren't compliant have not been subject to FTC oversight in other areas of their business

During meetings with industry groups, the FTC learned that some entities within the FTC's jurisdiction were uncertain about their coverage under the rule. These businesses told them they were not aware that they were engaged in activities that would cause them to fall under the FACT Act's definition of creditor or financial institution.

Even with the outreach efforts where the FTC was explaining the program requirements via webinars to 1500 people at a time (the equivalent of standing room only in a live setting) Broder says the number of calls the agency fielded from people saying "I just found out our company was covered ..." indicated that a step-back was the right thing to do.

In their eagerness to become compliant, companies might not take the right deliberate steps to identify what the risks are, and instead go out and buy something off the shelf for compliance or do something that wasn't well suited to their business, Broder notes. "So in the interest of getting it right, we extended the date for enforcement to give those companies time to get their program in place."

Under the ID Theft Red Flags Rule, financial institutions and creditors must develop a written program that identifies and detects the relevant warning signs - or "red flags" - of identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. The program must be managed by the Board of Directors or senior employees of the financial institution or creditor, include appropriate staff training, and provide for oversight of any third-party service providers.

Designing and putting in place a program that is appropriate to a creditor's size and complexity and nature of its business can be helped through the guidelines issued by the FTC and the federal banking agencies. (See related story: ID Theft Red Flags Rule: How to Help Your Business Customers Comply.)

While the FTC will not examine individual businesses for compliance, those identified as holding creditor status must be prepared to demonstrate a written program.

No Reprieve for Banks
For financial institutions overseen by federal banking regulators, the compliance deadline still remains Nov. 1, and includes state-chartered banks that are also overseen by the FDIC or the Federal Reserve Board, according to Kevin Mukri, spokesperson for the Office of the Comptroller of the Currency (OCC).

William Henley, Director of IT Risk Management at the Office of Thrift Supervision (OTS), says there's no extension in site for his agency's institutions, either. "We've been pretty open and up front about the compliance date," Henley says. "The message we've (OTS, OCC, FDIC and FRB) been saying is November 1st means November 1st, and that we expect financial institutions to be compliant by that date."

There also won't be much wiggle room for those institutions that haven't got a program fully in place, he adds. "If an institution just started working on their program on October 20, then they're not going to be viewed as very favorably as, say, the institution that began work on it last year, and for whatever reason wasn't able to come to full compliance. Maybe they were extremely reliant on a vendor to deliver part of their program -- hey will be looked upon more favorably than the one that put it off until the last minute."

Those that are showing due diligence in meeting compliance will be treated differently than "the institution that just had its head in the sand until the last moment," Henley notes.

There will be some thresholds that examiners will have to look for, such as a board-approved program. "Regardless of when an examiner goes into examine the institution, whether it is October 29 or November 1, that should be able to look at the board minutes between October 2007 and October 31, 2008 and see that at some point a committee or the board had approved a comprehensive program," Henley observes.

Henley's advice to those institutions that haven't done work on the ID Theft Red Flags? "If they haven't done it, well, I don't know what to say, but at this point those institutions that aren't ready should be braced for having some criticisms in their report of examination."


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network