Attorneys are not like normal people. When normal people wake up in the middle of the night, they think about sex, money troubles or the burritos they ate before going to bed. But not attorneys. They think about the hidden meaning of 16 CFR 681, Appendix A, Part IV. At least this one does.

Let me explain. 16 CFR 681 is commonly known as the Red Flags Rule. It applies to most financial institutions and, because most car dealerships originate financing, it applies to most dealerships. Whether or not the FTC officially begins its oft-delayed enforcement of the Rule on Jan. 1, 2011, it has been in effect since Jan. 1, 2008.

The Rule itself contains 4,074 words; I boil the Rule’s requirements down to seven:

1. Policy (an Identity Theft Prevention Program (“ITPP”), to be exact)
2. Training (staff on how to effectively implement the ITPP
3. Detect (attempts at identity theft)
4. Prevent (instances of identity theft)
5. Mitigate (the effects of identity theft)
6. Oversee (service provider agreements)
7. Ensure (that the ITPP continues to work over time)

Yeah, I know – George Carlin’s seven words were far more interesting. But these words carry legal requirements, so they deserve special attention. Today, my attention is drawn to “Mitigate.”

The Red Flags Rule clearly requires dealerships to have a policy in place that mitigates identity theft in connection with their “covered accounts.” In a dealership, “covered accounts” would mean installment sale contracts and leases. But what does “mitigate” mean?

Of all 4,074 words of the Rule, not one – not one! – is spent defining one of its seven basic requirements. Except, maybe, Appendix A, Part IV. That section is titled “Preventing and Mitigating Identity Theft.” The problem is, you can’t tell if the text that follows is addressing prevention or mitigation. And more to the point, if the dealership faithfully followed all of the suggestions in Appendix A, Part IV, no rational person would believe an identity theft event would have been effectively mitigated.

Appendix A, Part IV lists eight possible actions to prevent and mitigate identity theft (nine if you count the last one – “Do nothing”). Of the eight, only four could apply to an installment sale contract or lease: (b) Contacting the customer; (f) Closing the account; (g) Not attempting to collect on a covered account or not selling a covered account to a debt collector; and (h) Notifying law enforcement.

So the problem is, even if a dealership performs those four tasks, is an identity theft event really mitigated?

Logically speaking, by the time a criminal enters a dealership and attempts to take delivery of a vehicle in a victim’s name, an identity theft has already occurred. What is left to occur is monetary damage flowing from that identity theft. If a thief accomplishes delivery of a vehicle by getting it funded in the victim’s name, mitigation is accomplished in a narrow sense by canceling the financing.

But in a broader sense, mitigation hasn’t really occurred: the victim’s identity is still circulating and capable of being misused again and again, and the dealer now owns the paper. Ouch!

For true mitigation to even begin, at a minimum, a fraud alert must be placed on the victim’s credit file – and the dealership is not required to take that step. Curious. Mitigation would also logically imply investigating what other damage has been done using the stolen identity, and then unwinding that damage to return the identity to its pre-event status.

While the Rule does not require it, granting either every victim or every customer access to identity theft recovery service would provide a more meaningful level of mitigation, and certainly a higher level of customer satisfaction. Before we discuss this service, a couple of definitions would be helpful.

Assisted Recovery is the process of a victim attempting to restore his own identity with the advice of a professional. This advice is usually provided through a “how to” manual and, in some cases, telephone consultations. But the actual tasks necessary to restore an identity are performed by the victim.

Blanket Coverage is where ID recovery services are provided to every member of a defined group, such as every customer of a dealership. Because it is essentially group coverage, blanket coverage is less expensive than individual coverage.

Fully-managed Recovery is the restoration of a victim’s identity to its pre-event status performed by professional identity recovery advocates rather than by the victim. It is accomplished by the victim filling out and providing to the recovery advocate a limited power of attorney, which authorizes the recovery advocate to act on the victim’s behalf. Although the victim must cooperate with the process for it to be successful, the heavy lifting is done by professionals, not the victim.

In the vernacular, assisted recovery isn’t worth a 480 BEACON score in a Lexus dealership. A victim doesn’t want to be told how to fix a problem – he wants the problem solved. And the best way to do that is through a fully managed recovery.

Fully managed recovery by a reputable provider is the gold standard. But if provided after the fact, it is quite expensive. Such ex post facto remediation’s generally start in the four-digit range and can go up quickly, depending on the complexity of the case. Blanket coverage – providing the coverage to all finance or lease customers (cash customers aren’t covered by the Rule, but it’s a nice touch) – is the most economical way of providing meaningful mitigation to a dealership’s customers.

Again, this level of mitigation goes beyond the bare requirements of the Rule, but it more clearly accomplishes the Rule’s intent.

Oh, yeah – what about the dealership that had to eat the $45,000 RISC on a vehicle it delivered to the identity thief? Who mitigates that? Answer: nobody. That’s where prevention really comes into play – a good topic for next time.

Many of the menu companies that our P&A readership use provide identity verification transactional checks to prevent identity theft and help satisfy the provisions for the Red Flags Rule. But how effective is the identity verification tool in thwarting identity theft and reducing liabilities?

On Jan. 1, 2011, sections 114 and 315 of the Fair and Accurate Credit Transactions Act, known to many as the Red Flags Rule, is scheduled to be enforced by the FTC. Due to the importance of this law and all the publicity that it has received over the past few years, we decided to take a look at the Rule from the perspective of both an identity verification solution provider and a legal professional. We were specifically interested in whether the automated identity verification transactional checks help to effectively satisfy the law’s requirements and what else may be necessary to comply under the Red Flags Rule.

What are the pros and cons of transaction-based Red Flags checks?

Jim Ganther, president of Mosaic: “One of the greatest ‘pros’ of a transaction-based Red Flags check is that it addresses the Rule where it hits the road: the creation of covered accounts. In the automotive space, the creation of covered accounts means the establishment of a finance or lease contract. Another pro is that such an approach can be inexpensive and relatively easy to accomplish. For example, there are services available that can run swift electronic verification programs to confirm that the identity being offered is, in fact, a genuine identity.“

Transaction-based Red Flags solutions automatically create searchable, archived records of compliance. When it comes to legal compliance, if you don’t record it, it didn’t happen. And any program that doesn’t require an F&I manager to create a record by hand is a good thing.

On the “con” side of the equation, it can be easy to fall into the trap of believing the transactional approach is sufficient to address all of a dealership’s obligations under the Rule.

Pattie Dillon, president of Veratad: “The Red Flags Rule requires dealers to “detect, prevent and mitigate identity theft.” Dealers using online ID verification, as a process to help detect Red Flags and prevent identity theft, in conjunction with conventional methods of paper verification, are taking an important step to assure that the person presenting a verifying document is in fact who they say they are. For example, online verification can reveal if a name and address are sufficiently associated or if a person’s name appears on the deceased list in public records. In addition to address, age and social security number discrepancies, verification can provide an immediate check of OFAC as required by the USA PATRIOT Act. As an added layer of security and at the dealer’s option, they can present non-credit related “knowledge-based challenge questions”; the answers to which, should only be know by that person being checked. In addition to avoidance of fines for non-compliance, use of online ID verification is a way for dealers to reduce their risk of fraud and mitigate the reputational risk associated with the theft of a consumer’s identity.”

What is the area in which they fall most short of addressing the law? Do they mislead the dealership by giving them a false sense of security?

Ganther: There are services available that can run swift electronic verification programs to confirm that the identity being offered is, in fact, a genuine identity. This is not sufficient to satisfy the Rule, however. The dealership must then confirm that the person offering the identity is actually the person represented by the identity, not an identity thief. But not to worry: the same programs that verify the authenticity of an identity can usually generate out-of-wallet challenge questions to confirm that the person presenting the identity is the real McCoy. Out-of-wallet challenge questions, by the way, are questions generated from literally billions of public records that are over seven years old. The reason for the age of the questions is that lots of this information can could be found on a credit report if seven years old or less. And once an identity thief has your name, DOB and SSN, he can run a bureau on the victim and the ID verification process becomes an open-book test.”

Ganther further explains that there is a trap of believing the “transactional approach is sufficient to address all of a dealership’s obligations under the Rule. It is not. A dealership must have a written Identity Theft Prevention Program (ITPP) in place, approved in writing by its Board of Directors or senior management. It must have a training program that addresses and implements the ITPP. It must detect, prevent and mitigate identity theft. It must oversee its service providers to ensure they are following the Rule, as applicable. And finally, the dealership must ensure that the ITPP continues to work over time. This means, at a minimum, an annual audit of the program and its effectiveness, and a written annual report to the Board of Directors or senior management.”

Dillon: “No, online identity verification should not be used as the sole source of validating a consumer’s identity or addressing the Red Flags Rule; it should be used in the context of common sense and as part of the dealer’s overall due diligence in detecting, preventing and mitigating identity theft. For example, Veratad’s Online Identity Verification IDMatch+PLUS can be used to augment inspection of government-issued ID presented by a customer. The online process does this by establishing that a person is who they say they are (either in advance or after submission of personal information to credit bureaus) with challenge questions; however, dealers still need to look for other red flags such as inconsistencies when comparing photo ID, age, gender, etc. with the physical appearance of the customer.

Dealerships can avoid a false sense of security by assessing their risk of identity theft and implementing a plan to detect, prevent and mitigate it based on the size and complexity of their dealership. By following the Red Flags Rule guidelines and verifying the identity of their customers before a vehicle leaves the dealership, dealers are taking an important step in avoiding any false sense of security pitfalls.”

If a dealer uses a transaction-based check to help prevent identity theft, what more do they need to do?

Ganther: “At best, it can address the requirements to ‘detect and prevent’ identity theft. The other five require additional, and significant, effort. To tell the FTC (or, more likely, the plaintiff’s law firm) that you run a transaction-based identity verification program but nothing else is to admit you are intentionally violating the Red Flags Rule. That is not a good place to be.

One final note: the Rule requires dealerships (and all other ‘financial institutions’) to ‘prevent’ identity theft. But this is impossible. By the time an identity thief shows up in F&I to take delivery of a vehicle he will never pay for, the identity theft has, by definition, already occurred. Actually preventing an identity from being stolen at or through the dealership is covered by the Safeguards Rule. What the dealership can really do when an actual identity thief tries to take delivery of a vehicle is to prevent further damage flowing from the identity theft.”

Dillon: “All dealerships are required to assess the risk of identity theft for their organization(s) and create a Red Flags Identity Theft Prevention Program based on that risk assessment. Senior management must approve the program and it must be reviewed, at a minimum, annually. In addition, employees must be trained to detect and respond to red flags and the dealership is responsible to assure that all service providers having access to the dealerships ‘covered accounts’ are also compliant. It is important for dealers to consult their attorney to assure compliance.”

Do you think a menu company should charge for this service?

Ganther: “Of course a menu company should charge for this service! It costs hard dollars to obtain these services and integrate them into the menu system, which makes their use easier for the dealership personnel. Menu companies place themselves in the line of liability should the system fail to detect an identity thief, or cause a legitimate buyer to be denied a vehicle. No one should be asked to work for free!”

Dillon: “Veratad’s menu company clients providing Red Flags Rule related services, such as identity verification, usually provide that service as an integrated offering within their menu software. Dealers use the ID verification process as an opportunity to show customers they are serious about protecting their personal information.

It is generally believed that the finance professional responsible for reviewing menu options with a customer before delivery is in a perfect position to assist the dealership with that part of its compliance obligation to detect and prevent identity theft. Performing online identity verification with OFAC before vehicle delivery not only protects consumers but also protects the dealership from fraudulent transactions.

Menu companies integrate Veratad’s IDMatch+PLUS so the verification becomes a seamless part of the F&I process. The service is priced so the menu company can include the service at no cost to dealers (as a market differentiation) or alternatively, they can charge the dealership a per transaction fee with a modest mark-up to cover the menu company’s costs associated with implementation and ongoing support. In either case, having IDMatch+PLUS built in to the menu provides a convenient verification at a cost usually less than $1 per car.”

In our January issue we will be taking a look at the pros and cons of the red flags compliance from a menu provider perspective by revealing similar questions asked and answers furnished from a few menu providers who incorporate red flags compliance within their software.

POWAY, Calif. – CoreLogic Credco, a provider of automotive specialty credit reporting solutions and a division of CoreLogic has introduced Red Flag Viewpoint, an integrated online reporting dashboard that combines, summarizes and delivers easy-to-read reporting on Red Flags Rule compliance efforts for automotive dealers.

Developed in collaboration with Compli and part of Credco’s comprehensive Red Flag compliance suite, Red Flag Viewpoint is designed to help dealers meet the Red Flags Rule’s requirement of regularly monitoring and updating their Identity Theft Prevention Program.

The Red Flags Rule went into effect January 1, 2008, and is scheduled for mandatory enforcement by the Federal Trade Commission beginning January 1, 2011.

“Without sufficient data and the latest technological advances, deterring identity theft and maintaining compliance with the Red Flags Rule can be a complex, time-consuming task,” said Kevin Clements, senior vice president of corporate development for CoreLogic Credco. “Red Flag Viewpoint is specifically designed to simplify the monitoring and reporting requirement of the Rule, easily and effectively, allowing dealers to stay focused on sales objectives and other critical operations.”

Red Flag Viewpoint’s proprietary algorithms and reporting capabilities enable dealers to conveniently analyze their applicant portfolio on multiple levels to monitor for potential Red Flag risk. Available on Compli’s intuitive web-based platform, the easy-to-use interface lets users report directly off key identity verification alert statuses; access dynamic views of their entire applicant pool and associated risks; and export data for auditing and reporting.

Using Red Flag Viewpoint means dealers can easily monitor, analyze and report on a wide range of customer data provided exclusively by Credco. They can drill down on metrics and audit reports for detailed analytics, or view customer data as broadly as needed. Reporting analytics can also be viewed either on entire dealers groups or individual dealers. For more information, automotive dealers can call (866) 348-2404 or visit www.credcoservices.com/RFM.

The Red Flags Rule went into effect on January 1, 2008. Its “enforcement date” – meaning the date FTC enforcement against dealerships becomes possible – has been postponed several times and is currently slated for December 31, 2010.

The slippage surrounding the enforcement date has led many in the industry to the false conclusion that the Red Flags Rule does not yet apply. This assumption is incorrect. The only piece of the Rule that isn’t effective is the FTC’s right to go after dealerships that violate the Rule, but that is a remote risk in any case.

The most immediate impact for a dealership that fails to comply with the Red Flags Rule is that its funding sources could turn off. The Rule applies to banks, credit unions and captive lenders as well as dealerships, and allows those funding sources to do business only with dealerships that follow the Rule themselves. That requirement has been in place since November 1, 2008.

Despite the severe practical penalty for failing to follow the Rule, anecdotal evidence suggests two realities: (1) most dealerships don’t know the scope of their obligations under the Rule; and (2) most dealerships therefore are probably not in full compliance with the Rule.

The Rule (codified at 16 CFR 681) has three operative sections:

• 681.1 Duties of uses of consumer reports regarding address discrepancies. The requirements of this brief section can actually be considered under the next one.
• 681.2 Duties regarding the detection, prevention, and mitigation of identity theft. This is where the action is. New obligations live here.
• 681.3 Duties of card issuers regarding change of address. As most dealerships don’t issue credit cards, we’ll skip that one.

So, what exactly is a “red flag,” anyway? A red flag is a pattern, practice or specific activity that indicates the possible existence of identity theft. The Rule identifies five categories of red flags and provides over two dozen examples of such red flags. Examples the Rule provides include

• Documents provided for identification appear to have been altered or forged;
• The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification; and
• An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.

Things like these should raise a “red flag” in the mind of the dealership employee that encounters them, hence the name of the Rule. Dealerships must create a program that detects, prevents and mitigates identity theft by addressing the red flags that are relevant to their operations.

When the Red Flags Rule was announced in the Joint Final Rules and Guidelines, it weighed in as a 256-page cure for insomnia. But in its simplest form, it can be distilled down to just seven words:

1. Policy
2. Training
3. Detect
4. Prevent
5. Mitigate
6. Oversee
7. Ensure

Reasonable minds can come up with a longer or shorter list of requirements, or a different way to characterize them, but the foregoing list provides an easy way to discuss a dealership’s obligations, and makes the whole issue easier to understand. With that in mind, here is an overview of dealership obligations under the Rule.

Policy

At the core of the Rule is the requirement for “financial institutions” (which includes most dealerships) to create a written Identity Theft Prevention Program (ITPP). This is actually a misnomer, as no dealership can prevent identity theft – by the time an identity thief shows up to buy a car using a stolen identity, the theft has already occurred. But what the ITPP can do is prevent further damage from the identity theft, at least at the dealership.

The ITPP must be reviewed and approved in writing by the dealership’s board of directors or senior management. This requirement of a name on the “blame line” is clearly intended to extend liability to the dealer principal or senior management personally. “My GM handles that” will not be a defense!

The policy must reflect a consideration of all the red flags that might arise in the dealership, and establish a consistent process to address them. And if there is an irreducible minimum standard to be set forth in an ITPP, it is that no vehicle may be delivered in a case where an identified red flag remains unresolved.

Training

Interestingly enough, the Rule does not require training about the scope of the Rule itself (though that is a good idea). Rather, the Rule requires training about the scope of the dealership’s ITPP. At a bare minimum, a procedure must be in place that confirms receipt of the ITPP by the dealership employees it involves, and that those employees have read it, understand it and agree to follow it.

This type of training is well-suited for computer-based interactive instruction that tracks the ITPP itself. Coupled with a learning management system (LMS), this training can record and archive the fact of each employee’s training and the results. When it comes to lawsuits or enforcement actions, if it isn’t documented it never happened. An LMS makes sure the training is documented.

Detect

Detection of identity theft can be as easy as noticing the photo on a doctored driver license doesn’t match the age of the person it describes. Or it can be nearly impossible in the case of a professional ID theft ring. Common sense is the best defense.

The dealership’s ITPP should require certain basic steps be taken in every transaction. For example, careful examination of a customer’s driver license, paying specific attention to the following factors:

• Does the address on the license match that on the credit report?
• Does the picture and physical description fit the person offering the license?
• Does the birth date on the license match the apparent age of the person offering the license?
• Does the license show any obvious indication of being fake or altered?

Transactions falling under the Rule normally include pulling a credit report on the customer. Those employees who review credit reports should check the credit report for the following:

• Fraud alert
• Notice of address discrepancy
• Credit freeze
• Active duty military alert
• A recent and significant increase in the volume of inquiries
• An unusual number of recently established credit relationships
• A material change in the use of credit, especially with respect to recently established credit relationships
• An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor

Finally, a dealership could install a system to check, by electronic means, the following:

• Customer’s Social Security Number against the SSA Master Death File
• Address discrepancies
• Identity verification
• Age verification

There are numerous vendors for such electronic verification processes, most of which can include OFAC checks as well. Electronic verification has the benefit of being easy, automated and fast.

Prevent

As mentioned above, “prevent” really must mean the prevention of further damage from an identity theft. By the time it becomes an issue at the dealership, the ID theft has already occurred and cannot logically be prevented.

To understand the difference between detection and prevention, it is helpful to understand the difference between identity “verification” and “authentication.”

Identity theft is precisely that – the theft of an actual identity as opposed to creating a false identity. Thus, when a dealership employee is presented with an identity, that identity is likely a real one. Verification means taking steps to confirm the identity is real.

Authentication is the more important step. Authentication means confirming that the identity presented actually belongs to the person offering it. Performing this step properly is the best means of preventing further damage from identity theft at the dealership.

So, how do you authenticate an identity? How much time do you have?

The quickest and most effective method is to use “knowledge-based authentication,” or out-of-wallet challenge questions. This means presenting a customer with questions that cannot be answered by the information commonly carried in a wallet or contained in a credit bureau. Remember, an identity thief can run a credit report on the victim. So if questions are used that involve information in a credit report, the dealership is presenting an open-book test.

Out-of-wallet questions are computer-generated and use data that is more than 7 years old, the age limit for information on a credit report. By asking questions an identity thief can’t answer (“In what state did you live in 1983?”), a dealership can confidently authenticate the identity of its customers.

Out-of-wallet questions should present at least four – and preferably five – possible answers, and at least three questions. The odds of an identity thief correctly answering three five-option questions correctly are 1 in 125. In real life, once a question set is presented to an identity thief, one of three things happens: the thief “forgot something in the car,” has to go to the bathroom or simply runs out of the dealership. In any event, delivery of a car to a thief is thwarted.

For those dealerships with more time or no Internet access, a manual system is possible. A dealership could require customers to present three of the credit cards listed on a credit report, or a current passport or multiple other forms of government-issued ID. If this method is chosen, it must be consistent and documented. Photocopies of the identity-proving documents (but not credit cards!) should be kept.

This approach, however, includes its own risks. All such identifying documents by their nature contain nonpublic personal information (NPI). And NPI must be protected pursuant to the FTC Safeguards Rule. For my money, the electronic challenge question method is the way to go.

Mitigate

The requirement that dealerships “mitigate” identity theft suffers from a major flaw: the Rule does not define “mitigate.” Using plain English, this should mean at least to lessen the impact of the identity theft. At best, it means the restoration of an identity to its pre-event status.

In practice, this means that the dealership’s ITPP should include the requirement that the dealership “eat” the car it delivers to an identity thief – effectively buying back the deal from the victim who had no knowledge of the transaction. As a court will probably require this anyway, it is not really adding much to the dealership’s risk.

Including fully-managed (not “assisted”) ID recovery service to every transaction is a more proactive means of satisfying this ill-defined legal requirement. It is not my position that the Rule requires this – I don’t know how Courts will interpret this requirement – but it would help a dealer sleep at night, and it is inexpensive.

Oversee

Any business covered by the Red Flags Rule is required to “oversee” its service providers. This means that a dealership can only engage companies that also follow the Rule to the extent it applies to them. This is accomplished by contracts, or addenda to existing contracts, that pass along a dealership’s obligations under the Rule.
The purpose behind this requirement is to prevent a dealership from evading its obligations by contracting out its duties to a third party that may not follow the Rule. This is one buck that cannot be passed!

Ensure

A dealership must ensure its ITPP continues to work over time. The Rule requires a report be made to the dealership board of directors or senior management at least annually on the dealership’s compliance with the Rule.

The report should address material matters related to the dealership’s ITPP and “evaluate issues such as the effectiveness of the policies and procedures of the [dealership] in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts; service provider arrangements; significant incidents involving identity theft and management’s response; and recommendations for material changes” to the ITPP.

A good place to start the annual report is to document any instances of identity theft at the dealership in the previous year. Then ask the question, “How could this have been prevented?” Then amend the ITPP accordingly to address the issue.

In addition to all the foregoing, the ITPP must address the filing of suspicious activity reports when identity theft occurs or is attempted at the dealership, and filing notices of address discrepancy when such are detected.

The Red Flags Rule is a lot to digest, but it is a manageable task. And the biggest beneficiary may be the dealership itself, as a properly implemented ITPP should prevent the dealership from buying back paper for a car delivered to an identity thief.

The Federal Trade Commission has delayed enforcement of the Red Flags Rule for a fifth time, extending the deadline to Dec. 31, 2010. According to the FTC’s Website, the extension was made at the request of Congress, which is considering legislation that could affect the scope of entities covered by the rule.

“Congress needs to fix the unintended consequences of the legislation establishing the Red Flags Rule — and to fix this problem quickly. We appreciate the efforts of Congressmen Barney Frank and John Adler for getting a clarifying measure passed in the House, and hope action in the Senate will be swift,” FTC Chairman Jon Leibowitz said. “As an agency we’re charged with enforcing the law, and endless extensions delay enforcement.”

The Red Flags Rule was developed under the Fair and Accurate Credit Transactions Act, in which Congress directed the FTC and other agencies to develop regulations requiring “creditors” and “financial institutions” to address the risk of identity theft. The resulting Red Flags Rule requires all such entities that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities — known as “red flags” — that could indicate identity theft.

The Rule became effective on Jan. 1, 2008. Full compliance for all covered entities was originally required by Nov. 1, 2008. Most recently, the FTC announced in October 2009 that at the request of certain members of Congress, it was delaying enforcement of the Rule until June 1, 2010, to allow Congress time to finalize legislation that would limit the scope of business covered by the Rule. Since then, the Commission has received another request from Members of Congress for another delay in enforcement of the Rule beyond June 1, 2010.

The commission has urged Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered by the rule and obviate the need for further enforcement delays. If Congress passes legislation limiting the scope of the Red Flags Rule with an effective date earlier than Dec. 31, 2010, the Commission will begin enforcement as of that effective date.

WASHINGTON, D.C. – At the request of Members of Congress, the Federal Trade Commission is delaying enforcement of the “Red Flags” Rule until June 1, 2010, for financial institutions and creditors subject to enforcement by the FTC.

The Rule was promulgated under the Fair and Accurate Credit Transactions Act, in which Congress directed the Commission and other agencies to develop regulations requiring “creditors” and “financial institutions” to address the risk of identity theft. The resulting Red Flags Rule requires all such entities that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities – known as “red flags” – that could indicate identity theft.

The Commission previously delayed the enforcement of the Rule for entities under its jurisdiction until November 1, 2009. The Commission staff has continued to provide guidance to entities within its jurisdiction, both through materials posted on the dedicated Red Flags Rule Website, and in speeches and participation in seminars, conferences and other training events to numerous groups. The Commission also published a compliance guide for business, and created a template that enables low-risk entities to create an identity theft program with an easy-to-use online form. FTC staff has published numerous general and industry-specific articles, released a video explaining the Rule and continues to respond to inquiries from the public. To assist further with compliance, FTC staff has worked with a number of trade associations that have chosen to develop model policies or specialized guidance for their members.

On October 30, 2009, the U.S. District Court for the District of Columbia ruled that the FTC may not apply the Red Flags Rule to attorneys. Today’s announcement that the Commission will delay enforcement of the Rule until June 1, 2010, does not affect the separate timeline of that proceeding and any possible appeals. Nor does it affect other federal agencies’ ongoing enforcement for financial institutions and creditors subject to their oversight.