The latest extension - the second in the last six months -- was executed to help entities that have not been regulated for compliance in this area before. For FTC-overseen creditors, which include state-chartered credit unions, hospitals, utilities, mortgage brokers, auto dealers, etc. the added three months is a needed breather.
Why the Delay?
Two factors, lack of awareness and involvement of trade associations, played into the FTC's decision to push back enforcement until August 1, says a leading compliance expert. There still is not a great level of awareness about the Red Flags Rule among the majority of covered entities, says Sai Huda, Chairman and CEO of Compliance Coach, a risk management and compliance firm. The other key factor, Huda says, is that several trade groups representing some of the covered entities complained to the FTC that their constituents needed more time. "For example, the American Medical Association (AMA) first argued that the Rule did not apply to hospitals and doctors, then when the FTC said the Rule in fact did, they complained that their constituent needed more time to comply," Huda says.
There are certain groups that Huda has seen as lacking in compliance or even understanding they fall under this regulation. A recent survey conducted by Compliance Coach of 100 hospitals indicated 91 percent of those polled were not in compliance, and 73 percent indicated they were surprised the Rule applied to them.
"Only a few of the larger hospitals were in compliance, and this was the same for doctors and dentists," Huda says. "Most are not even aware of the Red Flags Rule and the fact that it applies to them."
Other groups that are lacking in awareness or compliance are: colleges, universities and educational institutions. "Mortgage brokers and auto dealers are getting into compliance from pressure from banks and credit unions, since they are service providers to them and pose risk," Huda observes.
Despite the delay, Betsy Broder, Assistant Director in the FTC's Division of Privacy and ID Protection says, "Many of the higher risk entities got it right away and are now compliant."
The rule was drafted to be risk-based, says Broder, so the type and complexity of an entity's program must be commensurate with the identity theft risk it encounters. "This is not a document-heavy regulation. If they (businesses) are low risk, then their red flags will be minimal." For low-risk entities this should not be a heavy task to undertake, she emphasizes.
To enable better compliance, the FTC is conducting webinars, speaking engagements and teleconferences on compliance with this regulation, says Broder. One recent example is a series of workshops that was free for businesses to attend, "Best Practices of Business: Protecting Personal Information and Fighting Fraud with the Red Flags Rule." There is also guidance from the FTC on Fighting Fraud with the ID Theft Red Flags rule (PDF).
There also is a dedicated website that contains all of the FTC's published resources. To further assist with compliance, FTC staff has worked with a number of trade associations that have chosen to develop model policies or specialized guidance for their members.
What to Expect on Aug. 1
Expectations from the FTC on the new August 1, 2009 enforcement date can be summed up in one word, according to Broder: "Compliance." She anticipates compliance with the regulation will be higher. "We've gotten very positive feedback, which is gratifying," she says. "On August 1, we start our enforcement program and will be looking for high-risk entities that have done very little to bring themselves into compliance with this regulation."
For those businesses that have in earnest worked to comply with the Red Flags, Broder says they'll not be focused upon for enforcement. "Our priority is to help businesses get it right; we're not looking for technical violations, but want real compliance on this regulation," says Broder. "If a business has put forth good faith efforts, we'll take that into consideration."
But just because the FTC will not enforce compliance until Aug. 1, that doesn't mean businesses are safe from being sued if someone's identity is stolen from them, says Huda. "Even though FTC will not enforce compliance for three more months, these entities are technically out of compliance with the rule and are exposed," he says. Plaintiff attorneys may sue, alleging non-compliance with federal and state unfair deceptive acts and practices violations. "This will most certainly happen if there is a breach and consumers' identifying information is stolen at a covered entity," he notes.
As far as some businesses that expect the date to be pushed back again, Huda warns not to expect it. "The hard and fast date is August 1. That is unless during this time Congress changes the definition of who is a covered entity. Stay tuned to this summer's new blockbuster: FTC versus the lobbyists," he says.