To give “creditors” and “financial institutions” with covered accounts more time to develop and implement written identity theft prevention programs to identify, detect, and respond to the warning signs – or “red flags” – that could indicate identity theft, the Federal Trade Commission (FTC) announced it will further delay enforcement of the "Red Flags" Rule to November 1, 2009.

The FTC's Red Flags Rule for creditors and financial institutions was originally supposed to take effect November 1, 2008, but the deadline was extended to May 1, 2009 due to confusion over which industries and entities were subject to the rule. The deadline for the Red Flags Rule was then extended again to August 1, before the latest extension to November 1, 2009.

The Red Flags Rule is an anti-fraud regulation developed by financial regulatory agencies, including the FTC, and mandated by the Fair and Accurate Credit Transactions Act (FACTA) of 2003. FACTA’s definition of “creditors” and “financial institutions” for the Red Flags Rule are as follows:

“Creditors” include any entities that regularly extend or renew credit – or arrange for others to do so – and all entities that regularly permit deferred payments for goods or services. Accepting credit cards as a form of payment does not, by itself, make an entity a creditor. Some examples of creditors are:

• Finance companies;
• Automobile dealers that provide or arrange financing;
• Mortgage brokers;
• Utility companies;
• Telecommunications companies;
• Non-profit and government entities that defer payment for goods or services; and
• Businesses that provide services and bill later, including many lawyers, doctors, and other professionals

“Financial institutions” include entities that offer accounts that enable consumers to write checks or make payments to third parties through other means, such as other negotiable instruments or telephone transfers.

Under the Red Flags Rule, these “creditors” and “financial institutions” with covered accounts will need to implement a written identity theft prevention program containing policies that identify, detect, and respond to “red flags” – patterns, practices, activities, or incidents that potentially implicate identity theft – while also ensuring the program is reviewed and updated in order to adjust to changing and developing identity theft risks.

Besides containing the four fundamental elements – identify, detect, respond, and ensure – each written identity theft prevention program under the Red Flags Rule must outline the patterns, practices, activities, and/or incidents that constitute “red flags” of identity theft, which can include:

• Alerts, notifications, or warnings received from a consumer credit reporting agency;
• The submission of suspicious documentation that appears to be altered or inconsistent with other documents on file;
• The submission of suspicious Personally Identifying Information (PII), such as multiple addresses;
• Unusual or suspicious use of, or access to, a covered account; and/or
• Notification from consumers or law enforcement authorities indicating suspected or actual identity theft.

Since many businesses remain uncertain about their obligations concerning identity theft under the Red Flags Rule, the three-month extension to November 1, 2009 should enable these businesses to gain a better understanding of the Red Flags Rule and any compliance issues that they may have under the law.

According to the FTC's press release, the delay in the enforcement of the Red Flags Rule until November 1, 2009, does not affect other federal agencies’ enforcement of the original November 1, 2008, compliance deadline for institutions subject to their oversight.