The Federal Trade Commission announced it will suspend enforcement of the new "Red Flags Rule" until May 1, 2009, to give creditors and financial institutions additional time to develop and implement written identity theft prevention programs.

The delay of enforcement will enable entities that did not realize they were subject to the rule sufficient time to establish and implement appropriate identity theft prevention programs, in compliance with the rule, according to a FTC press release.

The "Red Flag" regulations require financial institutions and creditors to develop and implement a written identity theft prevention program to detect, prevent, and respond to patterns, practices, or specific activities that may indicate identity theft. They were included in the Fair and Accurate Credit Transactions Act (FACT Act) and institutions were expected to be in compliance by Nov. 1.

On Oct. 14, the Department of Education announced that the "Red Flags Rules" apply to institutions participating in the Federal Perkins Loan Program and may apply to other credit programs administered by an institution. The rule states that "creditors" holding "covered accounts" must comply with the law. The rules have a broad definition of "creditors" and "covered accounts" that is applicable to many colleges.

Naomi Lefkovitz, an attorney in the FTC's Division of Privacy and Identity Protection, said that institutions will generally be subject to "Red Flag" requirements if they loaning out money and collecting it. If an institution is a "creditor" it must then determine if it is holding "covered accounts" - a consumer account that involves multiple payments or transactions (a loan that is billed or payable monthly).

Under this definition, the following activities could make institutions a "creditor" with "covered accounts:"

• participating in the Federal Perkins Loan program,

• participating as a school lender in the FFELP,

• offering institutional loans to students, faculty, or staff, or

• offering an extended tuition payment plan throughout the semester instead of requiring full payment at the beginning of the semester.

Lefkovitz was featured in an EDUCAUSE Web cast presented yesterday to cover institutions' responsibilities under the new rules (an archive of the Web cast is available on the EDUCAUSE Web site). She tried to reassure institutions that might be dreading compliance with the new rules.

"We don't want people panicking," she said. "That is why it is risk-based and flexible."

She encouraged institutions to evaluate the risk for identity theft on their campus and design their "Red Flag" program to address the unique risk level on their campus.

"The Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of activities," she said.

Under the "Red Flag Rules," institutions that are considered "creditors" with "covered accounts" must implement a written Identity Theft Prevention Program to detect, prevent, and mitigate identity theft in connection with the opening of "covered account" or any existing "covered accounts."

This program must:

• Identify relevant red flags (patterns, practices, or specific activities that could indicate identity theft) and incorporate them into the program

• Detect red flags that are part of the program

• Respond appropriately to any red flags that are detected

• Ensure the program is updated periodically to address changing risks

Most institutions have procedures to identify "red flags." The key to compliance with the "Red Flag Rules" is to systematize existing procedures and develop a written plan to be approved by the board of directors or an equivalent, according to guidance by the National Association of College and University Business Officers (NACUBO).

By Haley Chitty
NASFAA Associate Director of Communications

Posted 10/23/08 to www.NASFAA.org. Redistribution to non-NASFAA institutions is prohibited. Please submit Web Site questions or comments to Web@NASFAA.org.