Identity Theft Red Flags Rule Enforcement Deadline Extended (Yet Again)
With three lawsuits now pending in federal court to exempt certain professions from the reach of the Red Flags Rule and two bills pending in the Congress to do the same, the FTC determined that it was best to once again further delay enforcement of the identity theft prevention regulation past the current enforcement deadline of June 1.
In a press release and enforcement policy statement, the FTC announced today that it is delaying its enforcement of the Red Flags Rule through December 31, 2010. The Red Flags Rule requires covered businesses to establish and implement Identity Theft Prevention Programs in order to detect, prevent, and mitigate identity theft.
The FTC asserts that several members of Congress have again asked the Commission to delay enforcement in order to give Congress time to work through its pending legislation regarding the scope of businesses that should be covered by the Rule. H.R. 3763 (pdf) passed 400-0 last year and has received no Senate action. Meanwhile, a companion S. 3416 (pdf) was introduced in the Senate just before the Memorial Day holiday.
Notably, the FTC made no mention of the three federal cases now pending against it. As reported earlier on this blog, on May 21, the American Medical Association joined the American Bar Association and the American Institute of Certified Public Accountants in filing suit against the FTC to exempt its members from the reach of the Red Flags Rule.
The FTC urged Congress to act quickly on its pending legislation. The Commission stated that, if Congress passes legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010, then the Commission will begin enforcement as of that effective date.
This further delay of the enforcement deadline gives non-bank businesses the extra time they need to determine whether they are subject to the Red Flags Rule and, if so, to perform a suitable risk assessment that will assist in the establishment of an appropriate Identity Theft Prevention Program. Banks and other financial institutions that are subject to supervision by a federal bank regulatory agency should already have such a program in place.