The Federal Trade Commission announced it will delay enforcement of the new “Red Flags Rule” another three months -- until Nov. 1, 2009 -- to give creditors and financial institutions more time to develop and implement written identity theft prevention programs.
The FTC also said its staff will redouble its efforts to educate small businesses and other entities about compliance with the Red Flags Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply.
The FTC’s Red Flags Web site, www.ftc.gov/redflagsrule, offers resources to help entities determine if they are covered and, if they are, how to comply with the Rule. It includes an online compliance template that enables companies to design their own Identity Theft Prevention Program through an easy-to-do form, as well as articles directed to specific businesses and industries, guidance manuals, and Frequently Asked Questions to help companies navigate the Rule.
The FTC noted that some – particularly small businesses and entities with a low risk of identity theft – remain uncertain about their obligations. The additional compliance guidance that the FTC will soon make available is designed to help them. Among other things, FTC staff will create a special link for small and low-risk entities on the Red Flags Rule Web site with materials that provide guidance and direction regarding the Rule. The Commission has already posted FAQs that address how the FTC intends to enforce the Rule and other topics – www.ftc.gov/bcp/edu/microsites/redflagsrule/faqs.shtm. The enforcement FAQ states that FTC staff would be unlikely to recommend bringing a law enforcement action if entities know their customers or clients individually, or if they perform services in or around their customers’ homes, or if they operate in sectors where identity theft is rare and they have not themselves been the target of identity theft.
On Oct. 14, 2008, the Department of Education announced that the "Red Flags Rules" apply to institutions participating in the Federal Perkins Loan Program and may apply to other credit programs administered by an institution. The rule states that "creditors" holding "covered accounts" must comply with the law. The rules have a broad definition of "creditors" and "covered accounts" that is applicable to many colleges.
This is the third time that the FTC has delayed enforcement of the regulations that require financial institutions and creditors to develop and implement a written identity theft prevention program to detect, prevent, and respond to patterns, practices, or specific activities that may indicate identity theft. The regulations were included in the Fair and Accurate Credit Transactions Act (FACT Act) and institutions were expected to be in compliance by Nov. 1, 2008, but the FTC suspended enforcement until May 1, 2009. The FTC then postponed enforcement two more times to give creditors and financial institutions additional time to develop and implement written identity theft prevention programs.
“Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further,” FTC Chairman Jon Leibowitz said.
Naomi Lefkovitz, an attorney in the FTC's Division of Privacy and Identity Protection, said that institutions will generally be subject to "Red Flag" requirements if they loan money and collect it. If an institution is a "creditor" it must then determine if it is holding "covered accounts" - a consumer account that involves multiple payments or transactions (a loan that is billed or payable monthly).
Under this definition, the following activities could make institutions a "creditor" with "covered accounts:"
- participating in the Federal Perkins Loan program,
- participating as a school lender in the FFELP,
- offering institutional loans to students, faculty, or staff, or
- offering an extended tuition payment plan throughout the semester instead of requiring full payment at the beginning of the semester.
Red Flags Rules Resources
By Haley Chitty
NASFAA Director of Communications
Posted 07/31/09 to www.NASFAA.org. Redistribution to non-NASFAA institutions is prohibited. Please submit Web Site questions or comments to Web@NASFAA.org.
