‘Red Flags Rule' Delayed Again

Under pressure from Congress, the Federal Trade Commission has once again delayed its enforcement of the “Red Flags Rule” that would require financial institutions and all “creditors” to implement identity theft protection plans.

The FTC's enforcement of the rule, which was set to become effective Tuesday, now will become effective Jan. 1, 2011 — unless it is delayed again. Many banks are already subject to the rule through their regulations by other federal agencies.

The rule has been proposed to cover any financial entity or “creditor” that allows multiple payments for a good or service. All entities covered by the rule would be required to develop and implement written programs to help identify, detect, and respond to potential identity theft.

But various professional groups — including those for lawyers, accountants and doctors — had either won or sought exemptions from the proposed rule in recent months. The American Medical Association was the latest such group to argue that its members should not have to comply; it filed a lawsuit against the FTC on May 21.

Meanwhile, full implementation of the proposed rule, which came out of legislation Congress passed in 2003, has been delayed several times. The June 1 implementation date had been the result of another postponement of the implementation date, announced by the FTC in October of 2009.

At the crux of the confusion and debate is whether the rule’s definition of “creditor” is too broad. The rule’s current definition would include any entity that allowed for multiple payments for a good or service. That definition would include not only banks, loan companies and retailers, but also doctors and dentists’ offices, automobile dealers, telecom firms and cities that collect utility bills.

"Anybody that is not requiring cash upfront falls under these rules in theory," said Nathan Kottkamp, a partner at the McGuire Woods law firm of Richmond, Va., told the Richmond Times-Dispatch. "It's very expansive."

But advocates for protection against identity theft argue the rule should be broad to cut down on identity theft, the fastest growing crime in the United States.

In its news release issued May 28 announcing the delay, the FTC indicated that the delay “through Dec. 31, 2010” would occur “while Congress considers legislation that would affect the scope of entities covered by the rule.”

"Congress needs to fix the unintended consequences of the legislation establishing the Red Flags Rule — and to fix this problem quickly," FTC Chairman Jon Leibowitz said in the release. "As an agency we're charged with enforcing the law, and endless extensions delay enforcement."