Federal Trade Commission Delays Enforcement of the Red Flags Rule (Again) and Offers Some Hints as to What May Happen
May 14, 2009
By: James B. Wieland
"It's déjà vu all over again" — Yogi Berra
The day before its May 1, 2009 enforcement date, the Federal Trade Commission (FTC) announced a second extension, until August 1, 2009, of enforcement of the Red Flags Rule. For more information on the Red Flags Rule and the first extension of enforcement, see Jim Wieland's previous articles in Payment Matters here and here.
The purpose of the second extension was: ". . . to give creditors and financial institutions more time to develop and implement written identity theft prevention programs. For entities that have a low risk of identity theft, such as businesses that know their customers personally, the Commission will soon release a template to help them comply with the law."
By way of explanation, the FTC Chairman stated: "Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further."
While no one can predict what will happen between now and August 1, it appears that concerns about the application of the Red Flags Rule to industry segments that have not traditionally been within the jurisdiction of the FTC have been heard. These concerns may result in legislative changes, possibly including a narrowing of the jurisdictional ambit of the Red Flags Rule.
Equally interesting, however, is the Chairman's reference to a "template for low-risk entities" that must develop a Program. In the original Red Flags Rule comments, published in the November 9, 2007 Federal Register, the FTC stated: "To the extent that entities with consumer accounts determine that they have minimal risk of identity theft, they would be tasked only with developing a streamlined Program."
Little other guidance has been provided by the FTC as to what would qualify as "low risk" of identity theft or what a "streamlined Program" would consist of. Now we know that it apparently includes companies that know their customers personally. The Chairman's announcement raises the possibility that the FTC will provide a streamlined means of compliance with the Red Flags Rule that may apply to the health care industry.
The complete text of the FTC's April 30th, 2009 announcement can be found at ftc.gov/opa/2009/04/redflagsrule.shtm.