The Red Flags Rules are coming, the Red Flags are coming - NOT

The Red Flags are coming. The Red Flags are coming. The Red Flags are here! Well, after further review, they are not here and they might not be coming at all, at least in their present form.

The FTC announced today that they “will grant a three-month delay of enforcement of ‘Red Flags’ Rule requiring creditors and financial institutions to adopt identity theft prevention programs.” Read the FTC announcement. The enforcement of the FTC Red Flag rules was to begin today, May 1, 2009, and this is the second time the FTC has delayed enforcement of the rules.

The FTC has given their reason delaying the rule enforcement as the need “to give creditors and financial institutions more time to develop and implement written identity theft prevention programs.” However, it is believed that the real reason for the latest extension for compliance with the rules is due to the on-going debate of their broad based application As FTC Chairman Jon Leibowitz said. in the press release, “Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members… and give Congress time to consider the issue further.”

The FTC has also promised to release a template which will assist companies who have a low risk of identity theft to easily comply with the rules.

So, what is going on here? First let’s take a quick look at what the Red Flag Rules are and what they might meant to your business. The rules apply to financial institutions and creditors. We all understand what financial institutions are, but the trouble lies in the definition of a “creditor.”‘

The FTC has put forth a definition of a “creditor” that is very broad, includes businesses and organizations that regularly defer payment for goods or services. Examples of creditors include non-profits and government agencies. Think government owned utilities and student loan programs. (You might want to check-out http://www.ftc.gov/redflagsrule) A creditor is essentially a business that extends credit to a customer. Is this your business?

As a result of this definition of a creditor, some major industries are crying foul. The American Medical Association, in a letter to the FTC, has strongly objected to the FTC staff’s interpretation that physicians are “creditors,” under these rules. The AMA has also expressed concern that “If physicians are forced to collect monies up front from their patients to avoid being called creditors and being subjected to an unfunded, costly, burdensome mandate that duplicates existing requirements under the Health Insurance Portability and Accountability Act (HIPAA), the Red Flag Rule will undoubtedly undermine health care reform and our nation’s access to health care services.”

Given the debate, and Chairman’s Leibowitz specific reference to Congress, it is likely that further examination of the Red Flag Rules will begin. It is likely that the definition of a creditor might undergo some modification. Perhaps, health care providers will be excluded from the definition of a “creditor,” or the size of the business will be taken into account when determining if a business meets the definition of a creditor.

But do not think for a moment that your organization can breathe a sigh of relief from the second delay of enforcement of these rules. Identity theft and privacy compliance will continue to be a major issue in the information world. It is likely that the Obama administration will continue to focus on enforcement of privacy compliance due to heightened concerns about identity theft.

Moreover, despite today’s delay of enforcement by the FTC, the rules are already in effect; it is only the enforcement of the rules that has been delayed. As an FTC attorney pointed out to me this week, the rules themselves are not that difficult, you need to think like a potential ID thief and then guard your business accordingly.

Best practices for any business that handles personal information will be to develop written identity theft prevention plans now before the enforcement of the rules begin as well as, train employees about identity theft prevention, and continue to stay current on privacy laws and regulations.