time to develop and implement written identity theft prevention programs.
For entities that have a low risk of identity theft, such as businesses that
know their customers personally, the Commission will soon release a template to
help them comply with the law. Today’s announcement does not affect other
federal agencies’ enforcement of the original November 1, 2008 compliance
deadline for institutions subject to their oversight.
“Given the ongoing debate about whether Congress wrote this provision too
broadly, delaying enforcement of the Red Flags Rule will allow industries and
associations to share guidance with their members, provide low-risk entities an
opportunity to use the template in developing their programs, and give Congress
time to consider the issue further,” FTC Chairman Jon Leibowitz said.
The Fair and Accurate Credit Transactions Act of 2003 (FACTA) directed
financial regulatory agencies, including the FTC, to promulgate rules requiring
“creditors” and “financial institutions” with covered accounts to implement
programs to identify, detect, and respond to patterns, practices, or specific
activities that could indicate identity theft.
FACTA’s definition of “creditor” applies to any entity that regularly
extends or renews credit – or arranges for others to do so – and includes all
entities that regularly permit deferred payments for goods or services.
Accepting credit cards as a form of payment does not, by itself, make an entity
Some examples of creditors are finance companies; automobile dealers that
provide or arrange financing; mortgage brokers; utility companies;
telecommunications companies; non-profit and government entities that defer
payment for goods or services; and businesses that provide services and bill
later, including many lawyers, doctors, and other professionals. “Financial
institutions” include entities that offer accounts that enable consumers to
write checks or make payments to third parties through other means, such as
other negotiable instruments or telephone transfers.
During outreach efforts last year, the FTC staff learned that some
entities within the agency’s jurisdiction were uncertain about their coverage
under the Red Flags Rule. During this time, FTC staff developed and published
materials to help explain what types of entities are covered, and how they
might develop their identity theft prevention programs. Among these materials
were an alert on the Rule’s requirements, www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm,
and a Website with more resources, including a compliance template, to help covered entities design and implement
identity theft prevention programs, www.ftc.gov/redflagsrule.