FTC delays Red Flags Rule to May 2009

Responding to concerns that some health care providers would not have enough time to comply, the Federal Trade Commission is moving the deadline for its so-called Red Flags Rule to May 1, 2009, six months later than originally planned.

The Red Flags Rule requires financial institutions and creditors with covered accounts have identity theft prevention programs to identify, detect and respond to patterns, practices, or specific activities that could indicate identity theft. The rule could apply to hospitals that meet the FTC's broad definition of "creditor" and which have patient accounts that fall within the scope of "covered accounts."

The American Hospital Association has issued a statement saying that hospitals will need to consolidate procedures into a written format and obtain board approval of the initial written policy in order to comply with the Red Flags Rule.

The FTC announced that it will suspend enforcement of the Red Flags Rule until May 1, 2009, to give creditors and financial institutions additional time in which to develop and implement written identity theft prevention programs. The Red Flags Rule was developed pursuant to the Fair and Accurate Credit Transactions (FACT) Act of 2003. Under the rule, financial institutions and creditors with covered accounts must have identity theft prevention programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft.

The rule applies to creditors and financial institutions. Federal law defines a creditor to be: any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not, in and of itself, make an entity a creditor, the FTC explains.

Some examples of creditors are finance companies, automobile dealers, mortgage brokers, utility companies, telecommunications companies, and nonprofit and government entities that defer payment for goods or services. Financial institutions include entities that offer accounts that enable consumers to write checks or to make payments to third parties through other means, such as other negotiable instruments or telephone transfers.

The FTC launched outreach efforts last year to explain the rule to the many different types of entities that are covered. The agency published a general alert on what the rule requires, and, in particular, an explanation of what types of entities are covered by the rule. (The alert can be found online at www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm.)

During the course of those efforts, the FTC learned that some industries and entities within the FTC's jurisdiction were uncertain about their coverage under the rule. Those entities indicated that they were not aware that they were engaged in activities that would cause them to fall under the FACT Act's definition of creditor or financial institution, according to the FTC statement.

Many entities also noted that, because they generally are not required to comply with FTC rules in other contexts, they had not followed or even been aware of the rule making, and therefore learned of the rule's requirements too late to be able to come into compliance by the original deadline. The Commission's delay of enforcement will enable those entities sufficient time to establish and implement appropriate identity theft prevention programs, in compliance with the rule, the FTC states.