FTC Extends Enforcement Deadline for Identity Theft Red Flags Rule Friday, Oct 30 2009 

For Release: 10/30/2009


FTC Extends Enforcement Deadline for Identity Theft Red Flags Rule

At the request of Members of Congress, the Federal Trade Commission is delaying enforcement of the “Red Flags” Rule until June 1, 2010, for financial institutions and creditors subject to enforcement by the FTC.

The Rule was promulgated under the Fair and Accurate Credit Transactions Act, in which Congress directed the Commission and other agencies to develop regulations requiring “creditors” and “financial institutions” to address the risk of identity theft. The resulting Red Flags Rule requires all such entities that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.

The Commission previously delayed the enforcement of the Rule for entities under its jurisdiction until November 1, 2009. The Commission staff has continued to provide guidance to entities within its jurisdiction, both through materials posted on the dedicated Red Flags Rule Web site (www.ftc.gov/redflagsrule), and in speeches and participation in seminars, conferences and other training events to numerous groups. The Commission also published a compliance guide for business, and created a template that enables low risk entities to create an identity theft program with an easy-to-use online form. FTC staff has published numerous general and industry-specific articles, released a video explaining the Rule, and continues to respond to inquiries from the public. To assist further with compliance, FTC staff has worked with a number of trade associations that have chosen to develop model policies or specialized guidance for their members.

On October 30, 2009, the U.S. District Court for the District of Columbia ruled that the FTC may not apply the Red Flags Rule to attorneys. Today’s announcement that the Commission will delay enforcement of the Rule until June 1, 2010, does not affect the separate timeline of that proceeding and any possible appeals. Nor does it affect other federal agencies’ ongoing enforcement for financial institutions and creditors subject to their oversight.

The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 1,700 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s Web site provides free information on a variety of consumer topics.

Office of Public Affairs

(Red Flags October 09)


RED FLAGS RULE: Resources available Saturday, Oct 3 2009 

The Red Flags Rule became effective November 1, 2008; however, the actual enforcement date has been delayed several times resulting in the current enforcement date of November 1, 2009.  Several professional organizations are “negotiating” with the Federal government in the attempt of trying to exempt physicians in the definition of “creditors”.  The Federal Trade Commission states that the extra grace period is “to give creditors and financial institutions more time to develop and implement written identity theft prevention programs.”   Penalties for not complying with the Red Flags Rule are $3,500 per incident under Fair Credit Reporting.

The information provided below has been developed for small businesses who are considred “low-risk” to comply with the Red Flags  Rule.  The following is an excerpt from the Federal Trade Commission website:


Do-It-Yourself Program for Businesses at Low Risk For Identity Theft

The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program to detect the warning signs – or “red flags” – of identity theft. By identifying red flags, you’ll be in a better position to spot an imposter trying to defraud you by using someone else’s identity to get products and services.

As a practical matter, most businesses and organizations that provide products and services to their customers and then bill them later are covered by the Rule. To find out if the Rule applies to you, read Fighting Fraud with the Red Flags Rule: A How-To Guide for Business.

The Red Flags Rule gives you the flexibility to design an Identity Theft Prevention Program appropriate for your business, given its size and potential risk for identity theft. While some companies need a comprehensive Program, businesses and organizations at low risk for identity theft may find that a streamlined Program fits the bill. If you’re at low risk for identity theft, this do-it-yourself Program may be sufficient.  http://www2.ftc.gov/bcp/edu/microsites/redflagsrule/get-started.shtm

This streamlined program seems to be the easiest and most straightforward way to implement the RFR policy in most physician’s practices.

Some helpful resources provided by professional organizations are as follows:

American Medical Association (AMA) http://www.ama-assn.org/ama/no-index/physician-resources/red-flags-rule.shtml .

Medical Group Manager’s Association (MGMA) RFR Resource Center at http://www.mgma.com/policy/default.aspx?id=22932 .

Modern Medicine article: http://medicaleconomics.modernmedicine.com/memag/article/articleDetail.jsp?id=592249&sk=67a9e20fc29c2e9eeddb4f43bc9d04ff

Federal Register, November 9, 2007:  “Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation” http://ftc.gov/os/fedreg/2007/november/071109redflags.pdf