The Federal Trade Commission announced on April 30, one day before the intended May 1 Red Flags Ruleenforcement deadline, a third extension of that deadline to August 1, 2009. It’s like showing up to class without your homework and the teacher is out sick that day….kind of. The first extension from November 1, 2008 to May 1, 2009 seems to center on the general confusion among many market sectors around their level of coverage under the Identity Theft Red Flags Rule. This latest delay seems to be a result of pushback from businesses with a lower risk of identity theft occurrences and a more "known" consumer base.
So, it looks like we have at least three more months of preparation time. This can be a good thing for all institutions regardless of their current Red Flag guidelines readiness status. Those who scrambled to get a program in place now have time to fine tune it. Those that were hoping for another extension have it. Those who still question what their program should look like or if they are even covered can look forward to some more clarifying information out soon.
Some key takeaways from the announcement:
- The FTC announcement does not impact other federal agency enforcement deadlines dating back to November 1, 2008.
- Specific to institutions that may have a perceived lower risk of identity theft, or businesses that generally know their customers personally, the Commission will be publishing more clarifying language and sample process (in the form of a template) to help those types of businesses comply with the Rule.
Finally, this quote from the announcement sums it up: “Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further,” FTC Chairman Jon Leibowitz said.