FTC DELAYS MANDATORY COMPLIANCE DATE FOR RED FLAGS RULE
The Federal Trade Commission (FTC) has issued an Enforcement Policy Statement providing that the FTC will suspend enforcement of the Identity Theft Red Flags Rule until May 1, 2009. The rule, promulgated under the Fair and Accurate Credit Transactions Act of 2003 (FACTA), had an original mandatory compliance date of November 1, 2008.
The FTC explained that some industries and entities within the FTC’s jurisdiction were uncertain about their coverage under the Rule, which applies to creditors and financial institutions. These entities indicated that they were not aware that they were engaged in activities that would cause them to fall under the FACTA’s definition of creditor or financial institution. Many entities also noted that, because they generally are not required to comply with FTC rules in other contexts, they had not followed or even been aware of the rulemaking, and therefore learned of the Rule’s requirements too late to be able to come into compliance by November 1, 2008.
The limited delay in enforcement does not extend to the rule regarding address discrepancies applicable to users of consumer reports or to the rule regarding changes of address applicable to card issuers. The delay also does not extend to entities subject to the jurisdiction of any of the other federal agencies that have issued Red Flags Rules, including the Office of the Comptroller of the Currency, the Federal Reserve Board, the Federal Deposit Insurance Corporation and the Office of Thrift Supervision.