FTC Delays Enforcement of Red Flags Rule

30 April 2009 Publication
Authors: Chanley T. Howell

Legal News Alert: Privacy, Security & Information Management

The Federal Trade Commission (FTC) announced on April 30, 2009 that it would delay enforcement of the Red Flags Rule (Rule) until August 1, 2009, to give creditors and financial institutions more time to develop and implement written identity theft prevention programs. The FTC also said it would soon release a template-written program to help entities that have a low risk of identity theft — such as businesses that know their customers personally — comply with the Rule.

The original enforcement date for the Rule, November 1, 2008, was previously postponed to May 1, 2009. In its statement announcing the additional delay, the FTC acknowledged that there is an ongoing debate regarding whether Congress wrote the Red Flags provision in the Fair and Accurate Credit Transactions Act of 2003 (FACTA), the legislation authorizing the Rule, too broadly. The FTC indicated that delaying enforcement of the Rule will “give Congress time to consider the issue further.” The delay also will allow industries and associations more time to share guidance with their members, and provide low-risk entities an opportunity to use the template being prepared by the FTC in developing their programs.

FACTA directed the FTC and certain other regulatory agencies to promulgate rules requiring “creditors” and “financial institutions” that maintain covered accounts to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. The FTC has interpreted the definition of “creditor” broadly to include any entity that regularly permits customers to pay for goods or services after they are provided such as utilities, telecommunications companies, non-profit and government entities that defer payment for goods or services, and businesses that provide services and bill later, including many lawyers, doctors, and other professionals. A number of health care trade associations have complained loudly to the FTC that Congress did not intend the rules to apply to providers, but so far the FTC has disagreed.

On April 2, 2009, the FTC launched a Web site with resources to help covered entities design and implement identity theft programs. The template being developed by the FTC will be posted on that Web site.

The delay of the Rule’s enforcement is good news for health care providers and other entities that have been hurrying to comply. The additional time will help creditors ensure they are compliant by the new August 1, 2009 enforcement date. The FTC’s announcement also provides some hope that Congress will narrow the reach of the Rule prior to that date.


Legal News Alert is part of our ongoing commitment to providing up-to-the-minute information about pressing concerns or industry issues affecting clients and colleagues. If you have any questions about this alert or would like to discuss this topic further, please contact your Foley attorney or any of the following individuals:


Michael Scarano
San Diego/Del Mar, California

Lisa J. Acevedo
Chicago, Illinois

Jennifer G. Karron
Milwaukee, Wisconsin

Chanley T. Howell
Jacksonville, Florida

Peter F. McLaughlin
Boston, Massachusetts

Jennifer L. Rathburn
Milwaukee, Wisconsin

Andrew B. Serwin
Chair, Privacy, Security & Information Management Practice

Related Services