FTC Delays Red Flags Enforcement - AgainNov. 1 is New Date for State-Chartered Credit Unions, Other Businesses In a move to give state-chartered credit unions and other small businesses more time to comply with the Identity Theft Red Flags Rule, the Federal Trade Commission (FTC) has announced that it is once again pushing back the date to comply with the rule - this time to Nov. 1, 2009. The previous date was this Saturday, August 1.
The FTC says in its press release that it is expanding its business education campaign on the rule and will "redouble its efforts to educate [businesses] about compliance with the 'Red Flags' Rule" and ease compliance by giving them added resources and guidance to clarify if they are covered and what they must to do comply.
The three-month extension, coupled with this new guidance, says the FTC, should enable businesses to gain a better understanding of the rule and any obligations that they may have under it. The FTC's steps are consistent with the House Appropriations Committee's recent request that the Commission defer enforcement in conjunction with additional efforts to minimize the burdens of the rule on health care providers and small businesses with a low risk of identity theft problems.
Although many covered businesses and other entities have already developed and implemented appropriate, risk-based identity theft prevention programs, some remain uncertain about their obligations, says Betsy Broder, Assistant Director Division of Privacy and ID Protection at the FTC. There will be more compliance guidance available soon designed to help those businesses, she says.
The FTC's Red Flags Web site, www.ftc.gov/redflagsrule, offers resources to help entities determine if they are covered and, if they are, how to comply with the Rule. It includes an online compliance template that enables companies to design their own Identity Theft Prevention Program through an easy-to-do form. It also has an FAQ www.ftc.gov/bcp/edu/microsites/redflagsrule/faqs.shtm section to help companies understand what is expected.
Third Time is the Charm?
"Hopefully third time is the charm," says Sai Huda, Chairman and CEO of Compliance Coach, a regulatory compliance solutions provider. This is the third time the FTC has decided to delay enforcement. Originally, all affected entities - including automobile dealers, utility companies and even healthcare providers -- were to show compliance with the Red Flags Rule by last Nov. 1, the same deadline as that met by banks and other financial institutions. But in late October, the FTC extended the deadline by six months for the roughly 11 million entities it oversees. This move was to give non-banking creditors and state-chartered credit unions additional time to develop and implement written identity theft prevention programs. Prior to the May 1 deadline, the enforcement date again was extended to Aug. 1 to help entities that have not been regulated for compliance in this area before.
"Continuing to delay enforcement creates an unlevel playing field," Huda says. While banks and most credit unions have had to comply and be examined since November 1, 2008, state chartered credit unions and others such as mortgage brokers and mortgage lenders that are under the FTC's jurisdiction get a break until November 1, 2009, Huda observes. "The delay disadvantages some while it advantages others," he says. "FTC should not allow any further enforcement delays."
Those businesses and entities that fall under FTC enforcement should not think that the extension gives them a chance to procrastinate further, Huda notes. "Because even though the FTC will not enforce compliance until November 1, 2009, an entity can be sued by plaintiff attorneys based on violation of state unfair and deceptive acts and practices statutes," he explains.
Banks, credit unions and other financial services companies have been examined for Red Flags compliance since last Nov. 1. Results of those early examinations moved federal regulators to issue guidance on Frequently Asked Questions about compliance.