Header graphic for print
Technology Law Source Mapping the evolving legal landscape

Compliance (Might Be?) Required: The Continuing Saga of the Identity Theft Red Flag Rules

Posted in Red Flag Rules Compliance

It was November 1, 2007 when federal banking regulators and the Federal Trade Commission (FTC) jointly issued final rules under the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). These rules established for the first time the requirements for identity theft prevention programs implemented by financial institutions and other “creditors.” Those final rules were set to go into effect one year later, on November 1, 2008. As to all financial institutions regulated by the federal banking regulatory agencies (the Federal Reserve Board, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, Office of Thrift Supervision, and the National Credit Union Administration), those final rules became effective and enforceable as planned. For other “creditors” governed by the FTC, however, enforcement has been a long tale of hurry-up-and-wait.

Delay, Delay, Delay

Despite the general applicability guidance contained in the Red Flag Rules, businesses have had difficulties understanding whether they must comply simply because they technically meet the definition of “creditor” and technically hold “covered accounts.”  Initially, such widespread confusion caused the FTC to delay enforcement of the Red Flag Rules six months to May 1, 2009.

With May 1, 2009 looming, the confusion and uncertainty had not subsided. As a result, the FTC again decided to delay enforcement, this time for three months to August 1, 2009. The FTC also created a Red Flag Rules website to provide information, guidance, and an identity theft prevention program template. “Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement … will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further,” FTC Chairman Jon Leibowitz said.

That delay put the FTC on the defensive. Industry groups such as the American Medical Association and the American Bar Association voiced strong opposition to the application of the Red Flag Rules to their respective members. The FTC responded by launching a Red Flag Rules education campaign, which included the publication of 37 Red Flag Rules FAQs. In an effort to allow time for the education campaign to quell the widespread fear and opposition, the FTC again delayed enforcement to November 1, 2009—a full year after the original enforcement date.

And More Delays

Unfortunately for the FTC’s cause, these delays have done nothing but bolster the opposition. As November 1, 2009 came near, Congress took up the issue. On October 20, 2009, the House of Representatives unanimously approved HR 3763, which would exempt any health care, accounting, or legal practice with twenty or fewer employees, as well as certain other businesses from the application of the Red Flag Rules. Also, on October 30, 2010, the U.S. District Court for the District of Columbia ruled that the FTC may not apply the Red Flag Rules to any attorneys. Because of those two events, and at the request of members of Congress, the FTC delayed enforcement of the Red Flag Rules to its current date of June 1, 2010.

Will HR 3763 Ever Become Law?

Will the FTC delay enforcement again? Will HR 3763 become law? Time will reveal those answers. In the mean time, businesses to which the Red Flag Rules will apply should follow FTC guidance and prepare a written identity theft prevention program. Presumably, companies that protect their customers from identity theft will be favored in the marketplace. Once FTC enforcement commences, businesses that fail to comply risk civil monetary penalties of up to $2,500 for each violation and increased liability if a customer becomes the victim of identity theft.