The Federal Trade Commission is extending the deadline for enforcement of the identity theft prevention “Red Flags Rules” until May 1.
The deadline was extended because many companies were not prepared to meet the original Nov. 1 deadline, an FTC news release said.
The rules require that creditors and financial institutions create and implement an ID theft prevention program.
Entities already have had a year to comply and during that time the FTC has launched outreach efforts to explain the rules. But some companies were not aware that they fell under the distinction of a creditor or financial institution, according to the FTC. Other entities were unprepared because they are not usually required to comply with FTC rules so they ignored the Red Flag guidelines.
“There seems to be a lot of feedback from people saying that there's no way we can meet this deadline,” Eduard Goodman, general counsel and chief privacy officer for vendor Identity Theft 911, told SCMagazineUS.com Thursday.
Goodman said the deadline extension only applies to the FTC's enforcement of the rules. The deadline extension will not be applicable for businesses that are regulated by federal bank regulatory agencies and the National Credit Union Administration — namely banks, credit unions and credit card issuers.
The deadline extension will affect, however, the majority of the approximately 11 million businesses that are required to comply with the rules, Goodman said.
For the average small-to-medium-size business that didn't know about the rules or hasn't had the time or resources to implement it, the delay is a meaningful recognition that creating and implementing an ID prevention program is important, Goodman said.
“It's better to do it right than to try to meet an unrealistic deadline,” Goodman said.
Goodman said that the true intent of the rules is to shift the burden from the customer having to deal with the problem of ID theft to businesses that are mistakenly granting credit to fraudsters.
The FTC could not be reached for comment Thursday.