The Federal Trade Commission said Friday it will push back the Red Flags Rule deadline to December 31, 2010, as Congress considers legislation that would affect the scope of entities covered by it.
Officials said today's announcement and the release of an Enforcement Policy Statement do not affect other federal agencies' enforcement of the original November 1, 2008, deadline for institutions subject to their oversight to be in compliance.
The rule, which was slated to go into effect on Tuesday, was developed under the Fair and Accurate Credit Transactions Act, in which Congress directed the FTC and other agencies to develop regulations requiring "creditors" and "financial institutions" to address the risk of identity theft. The resulting Red Flags Rule requires all such entities that have "covered accounts" to develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities -- known as "red flags" -- that could indicate identity theft.
The rule became effective on January 1, 2008, with full compliance for all covered entities originally required by November 1, 2008. The commission has issued several Enforcement Policies delaying enforcement of the rule. Most recently, the commission announced in October 2009 that at the request of certain members of Congress, it was delaying enforcement of the Rule until June 1, 2010, to allow Congress time to finalize legislation that would limit the scope of business covered by the rule. Since then, the Commission has received another request from Members of Congress for another delay in enforcement of the Rule beyond June 1, 2010.
Earlier this week, the American Medical Association, American Osteopathic Association (AOA) and the Medical Society of the District of Columbia (MSDC) filed suit against the Federal Trade Commission charging that the FTC's rule exceeds the powers delegated to it by Congress and that its application to physicians is "arbitrary, capricious and contrary to the law."
"The AMA fighting red flags rule is a repeat in history, " said Pam Dixon, founder of the World Privacy Forum. "It does not understand the gravity of medical identity theft. It is a mistake to push back this regulation."
A bill to amend the Fair Credit Reporting Act to provide for an exclusion from Red Flag Guidelines for certain businesses was also introduced this week. The senators say the bill aims to protect small businesses like doctor's and dentist's offices, veterinary clinics and accounting offices that the FTC has mistakenly classified as "creditors."
The commission urges Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered by the Rule and obviate the need for further enforcement delays. If Congress passes legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010, the commission will begin enforcement as of that effective date, said officials.
