Once again, at the request of members of Congress, the Federal Trade Commission (FTC) has delayed the enforcement of the “Red Flags” Rule until June 1, 2010, for financial institutions and creditors.
The prior enforcement date had been November 1, 2009. In May of 2009, the FTC changed the enforcement date from May 1, 2009 to August 1, 2009.
As part of the Fair and Accurate Credit Transactions Act, Congress directed the FTC and other agencies to develop regulations requiring financial institutions and creditor companies to address identity theft. The resulting regulations require these companies to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities -- commonly called "Red Flags" -- that could indicate identity theft.
The FTC regulations are pretty specific about the types of companies covered by these new identity-theft regulations:
"The Rule defines a “financial institution” as: 1) a state or national bank, 2) a state or federal savings and loan association, 3) a mutual savings bank, 4) a state or federal credit union, or 5) any other entity that directly or indirectly holds a “transaction account” belonging to a consumer. “Transaction accounts” are deposits or accounts from which a consumer can make payments or transfers to third parties. Banks, federally chartered credit unions, and savings and loans come under the jurisdiction of the federal bank regulatory agencies or the National Credit Union Administration and should check with them for guidance. The FTC’s jurisdiction extends to state chartered credit unions and other institutions that hold transaction accounts – for example, mutual funds that offer accounts with check writing or debit card privileges or other businesses that offer accounts where consumers can make payments or transfers to third parties. Under the Rule, the definition of “creditor” is broad, and includes businesses or organizations that regularly provide goods or services first and allow customers to pay later. Examples of groups that may fall within this definition are utilities, health care providers, lawyers, accountants, and other professionals, and telecommunications companies. The definition also covers businesses or organizations that regularly grant loans, arrange for loans or the extension of credit, or make credit decisions. Examples include finance companies, mortgage brokers, and automobile dealers or retailers that offer financing... In addition, the definition includes anyone who regularly participates in the decision to extend, renew, or continue credit, including setting the terms of credit. For example, a third-party debt collector..."
In April of 2009, the FTC launched a Web site to help small and medium-sized businesses comply with the new Red Flag regulations. A U.S. District recently ruled that attorneys are exempt form the new regulations. A different set of regulations apply to hospitals and health care firms.
During the coming weeks and months I will explore the Red Flag rules more closely since the new enforcement data is an opportunity for consumers to demand more from companies that store and user their sensitive personal information. The opportunity is for consumers to be able to ask a company they are considering doing business with for a written statement of how that company protects their sensitive personal data.
Will the June 2010 date hold? Who knows. The FTC's pattern of delays suggests probably not. As this issue moves forward, the I've Been Mugged blog will report about it.
Comments