The FTC has for the 4th time, issued an enforcement delay of the FACTA Red Flag rules until June 1, 2010. In fact, this is a “partial” delay. Not all entities required to comply with FACTA Red Flag benefit from the extension and not all of the FACTA requirements have been delayed. Here’s what happened… 

On October 20, 2009, the House of Representatives unanimously approved HR 3763, a bill which would exempt from the coverage of the Red Flags Rule any health care, accounting, or legal practice with twenty or fewer employees, as well as certain other businesses. For that reason, on October 29, 2009, certain members of Congress requested that the Commission further delay enforcement in order to allow Congress to finalize legislation. The Commission believes that such delay is warranted so that it does not begin to enforce a regulation that Congress plans to supersede. Accordingly, the Commission is extending its forbearance from bringing any enforcement action for violation of the Red Flags Rule against a financial institution or creditor that is subject to administrative enforcement by the FTC until June 1, 2010.

A few important notes regarding this partial enforcement delay –

• Only those governed by the FTC received the enforcment delay.  Entities such as Depository institutions (FDIC) or Credit Unions (NCUA) have been required to comply since 11/1/2008.
• Only section 114 of FACTA (pertaining to identity theft) is covered under this extension. Section 315 dealing with Reconciling addresses has been in effect since 11/1/2008
• Although the FTC granted this enforcement delay, many States (and lenders) are already including FACTA compliance in their requirements and auditing process. 

Here’s an excerpt from the FTC’s press release announcing the delay –

“At the request of Members of Congress, the Federal Trade Commission is delaying enforcement of the “Red Flags” Rule until June 1, 2010, for financial institutions and creditors subject to enforcement by the FTC.

 The Rule was promulgated under the Fair and Accurate Credit Transactions Act, in which Congress directed the Commission and other agencies to develop regulations requiring “creditors” and “financial institutions” to address the risk of identity theft. The resulting Red Flags Rule requires all such entities that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.

The Commission previously delayed the enforcement of the Rule for entities under its jurisdiction until November 1, 2009. The Commission staff has continued to provide guidance to entities within its jurisdiction, both through materials posted on the dedicated Red Flags Rule Web site (www.ftc.gov/redflagsrule), and in speeches and participation in seminars, conferences and other training events to numerous groups. The Commission also published a compliance guide for business, and created a template that enables low risk entities to create an identity theft program with an easy-to-use online form. FTC staff has published numerous general and industry-specific articles, released a video explaining the Rule, and continues to respond to inquiries from the public. To assist further with compliance, FTC staff has worked with a number of trade associations that have chosen to develop model policies or specialized guidance for their members.”

The entire release is avialable on the Federal Trade Commission website at http://www.ftc.gov/opa/2009/10/redflags.shtm