In a highly significant move for entities subject to FTC jurisdiction, the FTC has decided to delay for six months its enforcement of the "Red Flags" rule issued last year under the Fair and Accurate Transactions Act of 2003 ("FACTA"). In an announcement on October 22, 2008, the Commission said it had learned that many entities only recently became aware of the rule and its possible application to them, and therefore would not be able to meet the compliance deadline of November 1, 2008. So the Commission is going to give entities subject to its jurisdiction until May 1, 2009 to comply.
Why the confusion? Because the Red Flags rule, which the FTC promulgated jointly with the federal banking regulators and the National Credit Union Administration (NCUA), applies to "financial institutions" and "creditors," many non-banking entities apparently thought they were not covered. But under the FACTA, a “creditor” includes “any person or entity who regularly extends, renews, or continues credit," and “credit” means “the right granted by a creditor to a debtor to defer payment of debt . . . .” So, a person can be a "creditor" simply by providing goods or services without obtaining advance or simultaneous payment.
What's the consequence for entities that are covered? The Red Flags requires all "financial institutions" and "creditors" to establish and implement an Identity Theft Prevention Program. That involves:
Organizations that have not yet determined whether or not they are covered by the FACTA identity theft regulations should immediately analyze their activities to reach such a determination. Those that are covered should move promptly to adopt the policies and procedures required to comply. Input from legal counsel should guide both the analysis of the applicability of the rules and the design and evaluation of particular compliance measures. The FTC takes identity theft very seriously, and its authority to impose penalties under the regulations will likely be exercised vigorously once the enforcement date is reached.