FTC Announces Further Red Flags Rule Extension, Emphasizes Broad Applicability
- The Federal Trade Commission has announced a further three-month deferral of enforcement, until August 1, 2009, of its "red flags" rule, which requires financial institutions and creditors with covered accounts to develop and implement written identity theft prevention programs. The extension does not affect banks and credit unions with another federal regulator, and those entities remain subject to the original November 1, 2008, compliance date. The FTC said it will use the additional time to release a template to help entities with a low risk of identity theft (e.g., businesses that know all their customers personally) to comply with the law.
The FTC also stressed the broad scope of the requirement, particularly with respect to "creditors." It said in its press release that "creditors" include all entities that regularly permit deferred payments for goods or services. Some examples of creditors are finance companies; automobile dealers that provide or arrange financing; mortgage brokers; utility companies; telecommunications companies; non-profit and government entities that defer payment for goods or services; and businesses that provide services and bill later, including many lawyers, doctors, and other professionals. (However, accepting credit cards as a form of payment does not, by itself, make an entity a creditor.) The FTC believes that the rule applies to nearly 2 million creditors, most of which are low-risk entities. All financial institutions and creditors are required periodically to determine whether they have covered accounts, so all of these businesses will be affected at least to some extent by the rule.
In a recent Paperwork Reduction Act notice, the FTC also addressed the scope of the rule's application to "financial institutions." 74 Fed. Reg. 18709 (Apr. 24, 2009). The FTC said that its statement in the rule's adopting release, that only state-registered credit unions were financial institutions within the FTC's jurisdiction, was incorrect. Rather, the financial institutions within the FTC's jurisdiction include, but are not limited to, certain insurance companies, investment companies, broker-dealers, and money service businesses, totaling over 57,000 entities, that offer consumer transaction accounts. In determining which of these entities hold consumer transaction accounts, and therefore are "financial institutions," I understand that the FTC will not consider an account to be a "transaction account" simply because the holder can make wire or ACH transfers of funds to the customer's bank account, assuming the institution does not engage in other conduct that could bring it within the definition of "financial institution."
The FTC mentioned that it recently renumbered the rule, formerly 16 C.F.R. � 681.2, to 16 C.F.R. � 681.1, in a notice not yet published in the Federal Register. The FTC did not say whether that notice would announce any other changes with respect to the red flags rule.
The FTC press release announcing the extension, with a link to its formal action, is at
For the Paperwork Reduction Act notice, which includes guidance on how the FTC expects the rule to be implemented, see
For my most recent post on the red flags rule, see
The 2007 adopting release is at
John M. Baker <JMB@...>
Stradley Ronon Stevens & Young, LLP http://www.stradley.com
1250 Connecticut Avenue, NW, Suite 500
Washington, DC 20036
FundLaw Listowner http://groups.yahoo.com/group/fundlaw