One day before the Red Flags Rule were to take effect, the Federal Trade Commission announced a three-month delay. Organizations that would have woken up out of compliance today now have until August 1 to comply.
The rule requires “creditors” and financial institutions to develop and implement written identity theft prevention programs. (For more on the rule, see articles in “Privacy & Security.”)
The FTC also announced that it would release a compliance template for entities that have a low risk of identity theft, such as businesses that know their customers personally.
Continued confusion over the terms of the provision resulted in the delay. ”Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further,” FTC Chairman Jon Leibowitz said in the statement.
This is the second delay for the Red Flags rule. The original deadline was November 2008.