The Fair and Accurate Credit Transactions Act of 2003 required the U.S. Federal Trade Commission to develop new rules about identity theft for financial institutions and companies that handle consumer financial accounts:
"The final rules require each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program (Program) for combating identity theft in connection with new and existing accounts. The Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft and enable a financial institution or creditor to:"
"Identify relevant patterns, practices, and specific forms of activity that are “red flags” signaling possible identity theft and incorporate those red flags into the Program;"
"Detect red flags that have been incorporated into the Program;"
"Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and"
"Ensure the Program is updated periodically to reflect changes in risks from identity theft."
In his Identity theft and Business blog, John Taylor emphasized the types of companies which must comply to the new "red flag" rules:
"Every covered business, non-profit, municipality, county, financial institution, auto dealership, mortgage brokerage, utility company, insurance agency, medical office, or any organization that accepts regular payment accounts for services or goods..."
John also described well the consequences of non-compliance:
"From this point forward not having such a plan in place could possibly result in individual laws suits, class actions, fines, audits, and possibly federal and state prosecution of all officers if any personally identifiable information (PII), is found to have been lost or stolen from the organization."
Affected companies were to have their programs in place and ready by November 1, 2008. Last week, the FTC announced that the deadline for compliance was delayed six months to May 1, 2009. In its news release, the FTC listed the following reasons for the delayed deadline:
"The Commission staff launched outreach efforts last year to explain the Rule to the many different types of entities that are covered by the Rule. The agency published a general alert on what the Rule requires, and, in particular, an explanation of what types of entities are covered by the Rule. During the course of these efforts, Commission staff learned that some industries and entities within the FTC’s jurisdiction were uncertain about their coverage under the Rule. These entities indicated that they were not aware that they were engaged in activities that would cause them to fall under the FACT Act’s definition of creditor or financial institution. Many entities also noted that, because they generally are not required to comply with FTC rules in other contexts, they had not followed or even been aware of the rulemaking, and therefore learned of the Rule’s requirements too late to be able to come into compliance by November 1, 2008. The Commission’s delay of enforcement will enable these entities sufficient time to establish and implement appropriate identity theft prevention programs, in compliance with the Rule.