Red Flags Rule Deadline Extended (Again)

“[Barring] a last minute delay, the Federal Trade Commission is set to enforce its identity theft rules known as Red Flags on Nov. 1,” Computerworld magazine reported at the start of last weekend.

Good thing they included the qualifier.

After three previous delays, the Federal Trade Commission has once again postponed its enforcement deadline for the Red Flags Rule, a regulation that sets up guidelines by which banks and other credit-extending institutions are supposed to abide in order to mitigate the risk of identity theft when processing credit applications. The guidelines, which emerged from the Fair and Accurate Credit Transactions Act (FACTA), set forth 26 specific “flags” of dangerous activity—patterns, practices or specific circumstances that are potential signals of fraud to come. The FTC’s enforcement protocols are specifically open-ended, requiring only that creditors develop a written program that identifies and detects these warning signs, and sets forth an appropriate response (a reasonable request, when one considers how identity theft is, by most anecdotal and statistical measures, on the rise).

Businesses wishing to learn more can visit the FTC’s Red Flags Rule web site, which includes a “do-it-yourself template” for small businesses.

Of course, businesses that haven’t kept up with Red Flags Rule requirements can breathe a little easier. They now have until June 2010 to become compliant, publications including the Dallas Business Journal have reported. The compliance extension arises from pushback from organizations under FTC jurisdiction that were “uncertain about their coverage under the Red Flags Rule,” according to the IDG News Service piece that earlier appeared in Computerworld. “Many entities also argue that, because they generally are not required to comply with FTC rules in other contexts, they have not had enough time to develop compliance plans. Others have raised a stink about complying with the rules.

The IDG article points out that the regulations have been met with some opposition in Congress. In October, they unanimously approved a measure, now in committee, “to exempt health care, legal and accounting firms employing fewer than 20 people from Red Flags.

Unfortunately, the longer compliance is postponed, the longer the risk of identity theft to consumers and businesses will be extended. The time is now for businesses to get written anti-identity theft into place—not June 2010.