The Federal Trade Commission is suspending enforcement of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) Red Flag Identity Theft Rules until May 1, 2009, to give creditors and financial institutions additional time to find out if they come under FTC jurisdiction and, if so, to develop and implement the appropriate identity theft prevention programs.
Under Red Flag rules, financial institutions with covered accounts - an account used mostly for personal, family or household purposes or accounts for which there is a foreseeable risk of identity theft - must have identity theft prevention programs to identify, detect and respond to activities that could indicate identity theft.
However, many entities were surprised to learn their business practices could cause them to fall under FACTA's definition of creditor or financial institution. Since FTC rules do not usually apply to them, they had not taken particular notice of the Red Flag rules and complained that they learned of the requirements too late for the Nov. 1, 2008, compliance deadline.
"Well, one thing to keep in mind is that this rule was put out by the FTC, which does not have regulatory jurisdiction over banks," said Holli Targan, Attorney and Partner at Jaffe, Raitt, Heuer & Weiss PC.
"Regular businesses are not accustomed to keeping abreast of what the FTC tells them they have to do because they're not used to being regulated like that," she added. "The FTC cast a wide net when it said 'creditor' and 'financial institution' to people that normally wouldn't think of themselves as such."
Creditors, as defined by the FTC, are entities that regularly extend, renew or continue credit or arrange for the extension, renewal or continuation of credit. These include, for example, finance companies, automobile dealers, mortgage brokers, utilities and telecommunication service providers. A financial institution is defined by the FTC as a state or national bank, federal savings and loan association, mutual savings bank or federal credit union.
Financial institutions are regulated by federal regulatory agencies and the National Credit Union Association. State-chartered credit unions fall under FTC jurisdiction. Most creditors, except for those controlled by federal bank regulatory agencies and the NCUA, also come under FTC purview. "They define creditor as any person that provides a service for which the consumer pays after delivery of product or services," Targan said. "And that could be almost anyone. So the way the FTC currently defines those terms is confusing as to who exactly these Red Flag rules apply to. It's not a bright line dividing and clarifying the definitions. The FTC needs to recognize that there is confusion and will hopefully shed some light on it."
The FTC said immediate enforcement of the Nov. 1 compliance date would be neither equitable for these covered entities nor beneficial to the public. The FTC believes this six-month extension will give the FTC time to conduct additional education and outreach regarding Red Flag compliance.
For those uncertain if they fall under FTC jurisdiction, Targan recommends they "take a look at their business, talk to a lawyer and make that determination as to whether they have to comply with the regulations." The FTC, federal banking agencies and the NCUA issued guidelines to help covered entities design their programs. For more information, visit http://www.ftc.gov/opa/2007/10/redflag.shtm.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next