Compliance with Red Flags Rule

August 14, 2009 Advisory

This advisory provides information about the federal regulation promulgated by the Federal Trade Commission (the "FTC"), in coordination with five other federal agencies, that is commonly known as the Red Flags Rule (the "Rule"). In response to confusion about the Rule and its requirements, the FTC, on July 29, 2009, delayed enforcement of the Rule for a third time, until November 1, 2009.
What is the date by which compliance is required?
On November 9, 2007, the FTC and other federal agencies jointly issued the Rule in an effort to prompt the adoption of policies and procedures to prevent, detect, and mitigate identify theft. While the Rule became effective on November 1, 2008, the FTC announced repeated delays of enforcement, most recently until November 1, 2009. Thus, any institution subject to the Rule will need to adopt and implement appropriate policies and procedures by November 1.
Who must comply?
The rule applies to any "creditor" that has a "covered account," and those terms are broadly defined.
A "creditor" includes: (1) any person who regularly extends, renews or continues credit; (2) any person who regularly arranges for the extension, renewal, or continuation of credit; (3) any assignee of an original creditor who participates in the decision to extend, renew, or continue credit; or (4) any person who provides services in exchange for future or deferred payment. This broad definition of "creditor" encompasses many businesses, such as legal practices, healthcare providers, utility companies, and others, depending on the particular billing arrangements that the business uses.