FTC Won't Enforce ID Theft Red Flags Rule Until May 1

Credit EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

The Federal Trade Commission (FTC) announced this week it will suspend enforcement of the new Identity Theft Red Flags Rule until May 1, 2009 - six months beyond the original Nov. 1 deadline.

This move will give non-banking creditors and state-chartered credit unions additional time to develop and implement written identity theft prevention programs. FTC observers saw that many industry segments were unaware of the compliance date, hence the six-month pushback of enforcement. (See the FTC Statement on Enforcement.)

Betsy Broder, Assistant Director in FTC's Division of Privacy and Identity Protection, says recent statistics from the paperwork reduction act suggest that the FTC has 11 million creditors that would fall under the agency's watchful eye, including automobile dealers, public utilities and other businesses that rely heavily on personally identifiable information. "Congress set a pretty broad definition of creditor as well when borrowing the term from the equal credit opportunity act -- this is why the reach is so great," Broder says.

Reasons for the pushback in the enforcement date are stated simply by Broder as, "We wanted to do the right thing. We tried to be as transparent as possible in our policy statement. We heard from lots of organizations and industries that said they weren't aware of their need to develop an ID Theft Prevention Program.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

The Credit Union National Association (CUNA) says as of now only state-chartered credit unions will be affected, as they fall under the FTC's rules. Federal credit unions overseen by the National Credit Union Administration (NCUA) still must be compliant by Nov. 1, according to John McKechnie, the NCUA media spokesperson.

The FTC's delay does not apply to address discrepancy rules that were issued at the same time as the red flags rule.

The FTC's announcement also does not affect other federal agencies' enforcement of the original Nov. 1, 2008 deadline for financial institutions subject to their oversight.

Why the Delay?
The FTC's decision to push back the enforcement date began with its outreach efforts to explain the rule to the many different types of entities that are covered by it. Examples of businesses and organizations that said they weren't ready included utilities, certain healthcare providers, and higher education organizations. Most of those entities that aren't compliant have not been subject to FTC oversight in other areas of their business

During meetings with industry groups, the FTC learned that some entities within the FTC's jurisdiction were uncertain about their coverage under the rule. These businesses told them they were not aware that they were engaged in activities that would cause them to fall under the FACT Act's definition of creditor or financial institution.

Even with the outreach efforts where the FTC was explaining the program requirements via webinars to 1500 people at a time (the equivalent of standing room only in a live setting) Broder says the number of calls the agency fielded from people saying "I just found out our company was covered ..." indicated that a step-back was the right thing to do.

In their eagerness to become compliant, companies might not take the right deliberate steps to identify what the risks are, and instead go out and buy something off the shelf for compliance or do something that wasn't well suited to their business, Broder notes. "So in the interest of getting it right, we extended the date for enforcement to give those companies time to get their program in place."

Under the ID Theft Red Flags Rule, financial institutions and creditors must develop a written program that identifies and detects the relevant warning signs - or "red flags" - of identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. The program must be managed by the Board of Directors or senior employees of the financial institution or creditor, include appropriate staff training, and provide for oversight of any third-party service providers.

Designing and putting in place a program that is appropriate to a creditor's size and complexity and nature of its business can be helped through the guidelines issued by the FTC and the federal banking agencies. (See related story: ID Theft Red Flags Rule: How to Help Your Business Customers Comply.)