The Federal Trade Commission (“FTC”) issued a press release on April 30, 2009, a day before the effective date of the federal Red Flag rules (16 CFR 681, the “Rules”), extending the enforcement date for creditors, for a second time, to August 1, 2009. For financial institutions, compliance has been required since November 28, 2008. The Rules require that “financial institutions” and “creditors” with “covered accounts,” as defined under the Rules, develop and implement a written Identity Theft Prevention Program to detect, prevent, and mitigate identity theft. In a recent letter to the American Medical Association, the FTC interpreted the term “creditor” broadly to include all entities that defer payment, turning many arrangements in which there is not immediate payment into an extension of credit. This interpretation extended the reach of the Rules to entities that are not traditionally considered to be “creditors” and caused substantial confusion among industries and entities.
The three-month forbearance will give the FTC time to develop a template Red Flag program for non-traditional creditors and low-risk entities and address the confusion and uncertainty among industries and entities about their obligations under the Rules. The FTC reiterates the broad application of the Rules to “all entities that regularly permit deferred payments for goods or services” and maintains that “businesses that provide services and bill later, including many lawyers, doctors, and other professionals” are creditors for the purpose of the Rules.
