The Red Flags Rule requires certain entities defined as “creditors” and “financial institutions” to implement programs to detect and respond to warning signs (or “red flags”) indicating possible identity theft. The question of whether particular entities are subject to the requirements of the Red Flags Rule has been the source of some confusion. While the FTC has made resources available on its website to assist businesses and other organizations in determining whether they are affected by the regulations, the press release issued Wednesday announced that the FTC would “redouble its efforts to educate” small businesses and other entities by “providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply.”
In furtherance of that aim, the FTC announced that it would “shortly” be supplying additional compliance guidance, including a link on its Red Flags Rule website to information specifically developed to assist small and low-risk entities in understanding their obligations under the regulations. Edwards Angell Palmer & Dodge will monitor these developments and provide additional information as it becomes available.
We note that this extension does not apply to banks and other financial institutions that have been subject to Red Flag requirements enforced by federal agencies other than the FTC since the original effective date of November 1, 2008.