Federal Trade Commission Delays Enforcement of "Red Flags Rule" for Certain Financial Institutions and Creditors

Federal Trade Commission Delays Enforcement of "Red Flags Rule" for Certain Financial Institutions and Creditors

Publication

Related Solutions

We help companies protect data, comply with evolving regulations, and respond to investigations and litigation.
Bank Regulation and Enforcement

On October 22, 2008, the Federal Trade Commission announced a six-month delay in FTC enforcement of the "Red Flags Rule." The rule requires certain financial institutions and creditors to develop and implement Identity Theft Prevention Programs to prevent, detect, and mitigate identity theft in connection with certain covered accounts. See 16 C.F.R. § 681.2. Under the new timetable, those financial institutions and creditors subject to the FTC's enforcement jurisdiction under the Fair Credit Reporting Act will have until May 1, 2009, to achieve compliance. This does not affect the November 1, 2008, enforcement deadline for rules (1) requiring issuers of credit and debit cards to develop policies and procedures to assess the validity of an address change request when that request is followed closely by a request for an additional or replacement card, 16 C.F.R. § 681.3; and (2) requiring users of consumer credit reports to develop policies and procedures to respond to notices from credit reporting agencies regarding address discrepancies, 16 C.F.R. § 681.1.

The extension was necessary in part because of the expansive reach of the rule, which applies to finance companies, automobile dealers, mortgage brokers, utility companies, telecommunications companies, and entities (including certain broker-dealers and mutual fund companies) that provide "transaction accounts," including credit card accounts, checking accounts, and margin accounts. As the FTC explained in the Enforcement Policy Statement, "some industries and entities within the FTC's jurisdiction have expressed confusion and uncertainty about their coverage under the rule . . . [and] were not aware that they were undertaking activities that would cause them to fall within FACTA's definitions of 'creditor' or 'financial institution.'" Furthermore, many entities had informed the FTC "that because they generally are not required to comply with FTC rules in other contexts, they had not followed or even been aware of the rulemaking, and therefore learned of the requirements of the rule too late to be able to come into compliance by November 1, 2008."

It is important to note that the deadline for enforcement of the "Red Flags Rule" for financial institutions and creditors regulated by the federal bank regulatory agencies or the National Credit Union Administration has not been extended by those agencies. Although those agencies could extend their enforcement deadlines, there does not appear to have been the same level of confusion about the applicability of the rule with respect to these entities.

Notice

Unless you are an existing client, before communicating with WilmerHale by e-mail (or otherwise), please read the Disclaimer referenced by this link.(The Disclaimer is also accessible from the opening of this website). As noted therein, until you have received from us a written statement that we represent you in a particular manner (an "engagement letter") you should not send to us any confidential information about any such matter. After we have undertaken representation of you concerning a matter, you will be our client, and we may thereafter exchange confidential information freely.

Thank you for your interest in WilmerHale.

I Accept Cancel