FTC Grants Further Reprieve on Red Flag Rule Enforcement

Lora Bentley

Compliance Week reported Monday that the U.S. Federal Trade Commission has extended the compliance deadline for its Identity Theft Red Flags Rule. Most recently scheduled to become effective May 1, the rule was promulgated under The Fair and Accurate Credit Transactions Act of 2003. It requires creditors and financial organizations under the FTC's jurisdiction to develop identity theft prevention programs.


Covered entities will now have until Aug. 1 to further develop their programs. The original compliance deadline was Nov. 2008, but the FTC first extended it to May 1, 2009, after financial organizations and creditors exhibited confusion regarding whether they were subject to the rule.


Compliance Week says FACTA "covered entities" include creditors, or "any entity that regularly extends or renews credit," and financial institutions, or "entities that offer accounts that enable consumers to...make payments to third parties."

Add Comment      Leave a comment on this blog post
May 5, 2009 3:13 AM Derek Beckwith Derek Beckwith  says:

I highly recommend this blog post by Steven Bearak of Identity Force calling for businesses to comply with the Red Flags Rule and to protect people from identity theft and data breaches (http://www.idtheftdailynews.com)

Red Flags Rule:  It is time to do the right thing.

On April 30, less than a day before the Federal Trade Commission (FTC) was to begin enforcing the Red Flags Rules, the agency extended the deadline for compliance for the second time, until August 1.   The 11th hour reprieve by the FTC reflects the fact that far too many organizations have either failed in their efforts to develop identity theft prevention programs, or simply ignored the government's mandate to do so.

The Red Flags Rule requires financial institutions and creditors to develop and implement programs to identify, detect, and respond to indications of identity theft.  The rules apply to a wide set of businesses including retailers, hospitals, colleges, universities, and utilities.

Unfortunately, businesses have not stepped up to protect their customers, members or patients.  Two weeks ago Identity Force released a report that warned of non-compliance in the hospital industry.  The report, available at www.identityforce.com/redflagsrulesreport.pdf, revealed that over 80 percent of hospitals were not yet in compliance. 

Identity theft and data breaches should be taken much more seriously by businesses and by the government.  Data breaches are increasing exponentially, organized cybercrime networks are attacking computer systems daily, and every year millions of Americans become victims of identity theft.  What more will it take before organizations do the right thing?

Forty-four states now have identity theft laws on the books, and the FTC eventually will enforce Red Flag Rules.  However, regardless of the letter of the law, identity theft and data breaches are clearly inevitable in today's society.  Complying with new laws and regulations and protecting the public is not an option; it is a necessity for organizations that want to survive in our new economy. Businesses must take action or face significant financial risk and reputation damage.

Some organizations may feel that complying with the new rules and combating identity theft and data breaches is a complex and burdensome task.  In reality it is not.  Turn-key identity protection, compliance and data breach solutions are available for businesses that will immediately bring an organization in line with all state and federal laws.  These solutions will also drive down risk, and have the potential to save businesses millions of dollars.

Executives and managers should not hem, haw, stall or delay any longer.  When asked if they are prepared to do the right thing regarding identity theft protection, their answers should be one word-'Yes.'

Steven Bearak is the CEO of Identity Force.  For more information, visit www.identityforce.com/ProtectBusiness.php.

May 20, 2009 11:31 AM Martin Ethridgehill Martin Ethridgehill  says:

In review of the previous comment, I am concerned that while many point fingers at business and other entities as being slackers and/or just lazy with compliance, it also seems to me that what has held so many is CLARIFICATION.

It took awhile for the FTX to clarifythat health care providers were required to comply, then on to non-profits, etc. As questions arose, there was the usual research and review periods.  As the list of "who and what" must comply has increased, the deadlines have been pushed back to accomodate.

I know that it is NOT all this simple, but with so many questions and clarifications required - would time and resources be best spent in stipulating that the right people are asking questions, and the FTC is doing a bang-up job in attempting to resolve them in a timely manner?

It is easy to continue criticizing others, and even harder to do something about helping them?


Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.