The Federal Trade Commission will delay enforcement of the new Red Flags

Rule until August 1, 2009, to give creditors and financial institutions more

time to develop and implement written identity theft prevention programs.

For entities that have a low risk of identity theft, such as businesses that

know their customers personally, the Commission will soon release a template to

help them comply with the law. Today’s announcement does not affect other

federal agencies’ enforcement of the original November 1, 2008 compliance

deadline for institutions subject to their oversight.

“Given the ongoing debate about whether Congress wrote this provision too

broadly, delaying enforcement of the Red Flags Rule will allow industries and

associations to share guidance with their members, provide low-risk entities an

opportunity to use the template in developing their programs, and give Congress

time to consider the issue further,” FTC Chairman Jon Leibowitz said.

The Fair and Accurate Credit Transactions Act of 2003 (FACTA) directed

financial regulatory agencies, including the FTC, to promulgate rules requiring

“creditors” and “financial institutions” with covered accounts to implement

programs to identify, detect, and respond to patterns, practices, or specific

activities that could indicate identity theft.

FACTA’s definition of “creditor” applies to any entity that regularly

extends or renews credit – or arranges for others to do so – and includes all

entities that regularly permit deferred payments for goods or services.

Accepting credit cards as a form of payment does not, by itself, make an entity

a creditor.

Some examples of creditors are finance companies; automobile dealers that

provide or arrange financing; mortgage brokers; utility companies;

telecommunications companies; non-profit and government entities that defer

payment for goods or services; and businesses that provide services and bill

later, including many lawyers, doctors, and other professionals. “Financial

institutions” include entities that offer accounts that enable consumers to

write checks or make payments to third parties through other means, such as

other negotiable instruments or telephone transfers.

During outreach efforts last year, the FTC staff learned that some

industries and

entities within the agency’s jurisdiction were uncertain about their coverage

under the Red Flags Rule. During this time, FTC staff developed and published

materials to help explain what types of entities are covered, and how they

might develop their identity theft prevention programs. Among these materials

were an alert on the Rule’s requirements,,

and a Website with more resources, including a compliance template, to help covered entities design and implement

identity theft prevention programs,