Here's a shocker: The Federal Trade Commission has delayed the enforcement deadline for its Red Flag Rules yet again. The number of times full compliance has been delayed for these rules, which are set out in the Fair and Accurate Credit Transactions Act, is beginning to rival the number of times small businesses have been granted a delay in Sarbanes-Oxley 404(b) compliance.
The rules require creditors to develop plans for identifying transactions that could indicate fraud or ID theft. Though they became effective in 2008, full compliance has been delayed at least five times. On May 28, the FTC announced the previous deadline of June 1, 2010, would be extended to Dec. 31, 2010, unless Congress passed legislation on the rules with an earlier effective date.
According to Compliance Week, the delay is intended to give lawmakers more time to determine "the scope of businesses subject to the rules," given that several professional groups and industry associations have lobbied against application of the rules or even filed lawsuits requesting that they be exempt from the rules.
For example, last October, the U.S. District Court for the District of Columbia determined the rules should not be applied to attorneys, and just last month, the American Medical Association and other groups filed suit asking a federal court to prevent the FTC from applying the rules to physicians or medical practices.
Compliance Week blogger Melissa Klein Aguilar notes the House of Representatives has already approved a bill that would exempt "health care, accounting or legal practices with 20 or fewer employees" as well as any business that knows its clients individually where identity theft is not likely, from the requirements. The Senate version of the bill is under consideration.