The rules, developed in accordance with the Fair and Accurate Credit Transactions Act of 2003 (FACTA), requires financial institutions and creditors to develop written programs to identify, detect, and respond to indications of identity theft.
FTC Chairman Jon Leibowitz said in a news release Thursday that the delay is meant to enable industries and associations, such as the American Bar Association and American Medical Association, to provide guidance to their members as to which entities fall under the rule and how they should comply. In addition, the delay gives Congress time to address whether the provision was written too broadly, he said.
The rules became effective Nov. 1, 2008, but the FTC pushed back the enforcement deadline until May 1. This is now the second time the FTC has extended the deadline.
Since 2007, the FTC has had outreach programs to explain the rules. But some companies were not aware whether they fell under the distinction of a creditor or financial institution, according to the FTC. Other entities were unprepared because they are not usually required to comply with FTC rules, so they simply ignored the Red Flags guidelines.
“I am not surprised they are delaying this," Eduard Goodman, general counsel and chief privacy officer for vendor Identity Theft 911, told SCMagazineUS.com Friday. "I have spoken to a lot of professionals in business, legal practice and medical practice that were caught off guard in being aware of this."
Jon Gossels, president of IT compliance and security consultancy SystemExperts, told SCMagazineUS.com Friday in an email that the debate over the rules centers around the fact that under FACTA, the definition of a creditor is broad.
The law defines a creditor as any entity that “regularly extends or renews credit -- or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services,” according to the FTC. This can be construed as applying to literally millions of small businesses, including car dealerships, law firms and medical practices, since any business that defers payments must comply, Gossels said.
In September 2008, with the original Nov. 1 deadline quickly approaching, the American Medical Association wrote a letter to the FTC asking for clarity as to whether the Red Flags Rules apply to doctors and physicians. The FTC wrote a lengthy response, essentially saying "yes."
The FTC was not available immediately Friday for comment.
But Gossels said despite some confusion, he does not expect Congress to alter the law. He added that the rules make sense, were created in response to a real and growing problem and ultimately, financial institutions and creditors must demonstrate that they are in compliance. However, the FTC may choose to only casually enforce the rules at first to give organizations time to implement their programs, Gossels said.
The FTC also announced Thursday that it plans to release a template to help companies that are less likely to experience an ID theft issue comply with the law. An example of a low-risk company is one that knows its customers personally, according to an FTC news release.
In early April, the FTC created a website aimed at helping entities comply with the rule.
The Aug. 1 extension applies to entities under the FTC's jurisdiction, which includes state-chartered credit unions. It does not apply to other federal agencies' enforcement of the original Nov. 1 deadline.