At the request of several Members of Congress, the Federal Trade Commission is further delaying enforcement of the “Red Flags” Rule through December 31, 2010, while Congress considers legislation that would affect the scope of entities covered by the Rule. This announcement by the FTC and the release of an Enforcement Policy Statement do not affect other federal agencies’ enforcement of the original November 1, 2008 deadline for institutions subject to their oversight to be in compliance.

The House has passed legislation, H.R. 2345, that would exempt health practices with 20 or fewer employees from the Red Flags Rule and the Senate has introduced legislation that added accounting and legal firms with 20 or fewer employees to the businesses that should be exempted. In addition, the Senate bill, S. 3416, would provide for a process whereby a business that has not experienced identity theft or where identity theft is rare for a businesses of that type, can apply for exclusion from the Red Flags Rule requirements. The Senate bill states that not later than 180 days after the date of enactment, the FTC should issue regulations that set forth a process by which a business may apply for the exclusion.

In the announcement, FTC Chairman Jon Leibowitz stated, “Congress needs to fix the unintended consequences of the legislation establishing the Red Flags Rule – and to fix this problem quickly. We appreciate the efforts of Congressmen Barney Frank and John Adler for getting a clarifying measure passed in the House, and hope action in the Senate will be swift. As an agency, we’re charged with enforcing the law, and endless extensions delay enforcement.”

The Rule was developed under the Fair and Accurate Credit Transactions Act, in which Congress directed the FTC and other agencies to develop regulations requiring “creditors” and “financial institutions” to address the risk of identity theft. The resulting Red Flags Rule requires all such entities that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.

The Rule became effective on January 1, 2008, with full compliance for all covered entities originally required by November 1, 2008. The Commission has issued several Enforcement Policies delaying enforcement of the Rule. Most recently, the Commission announced in October 2009 that at the request of certain Members of Congress, it was delaying enforcement of the Rule until June 1, 2010, to allow Congress time to finalize legislation that would limit the scope of business covered by the Rule. Since then, the Commission has received another request from Members of Congress for another delay in enforcement of the Rule beyond June 1, 2010.

The Commission urges Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered by the Rule and obviate the need for further enforcement delays. If Congress passes legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010, the Commission will begin enforcement as of that effective date.

MHI members with questions can contact Ann Parman at aparman@mfghome.org.