The Federal Trade Commission announced Friday that it will delay enforcement of the new "Red Flags Rule."
The rule was scheduled to take effect on May 1, but will be extended to August 1 to give creditors and financial institutions more time to develop and implement written identity theft prevention programs.
Hospitals and doctors fall under the rule's definition for creditors because they extend delayed payment plans to their patients.
Hospitals may satisfy the definition of "creditor" by deferring patient payments for goods or services, offering patients extended payment plans or extending credit to physicians through income guarantees and recruitment loans.FTC officials said the decision to delay enforcement doesn't affect other agencies' enforcement of the original Nov. 1, 2008 compliance deadline for institutions subject to their oversight.
This is the second delay that the FTC has issued. Officials instituted a six-month delay on enforcement last fall, until May 1.
"Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs and give Congress time to consider the issue further," FTC Chairman Jon Leibowitz said.
The Fair and Accurate Credit Transactions Act of 2003 (FACTA) directed financial regulatory agencies, including the FTC, to promulgate rules requiring "creditors" and "financial institutions" with covered accounts to implement programs to identify, detect and respond to patterns, practices or specific activities that could indicate identity theft.
FACTA's definition of "creditor" applies to any entity that regularly extends or renews credit - or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services. Accepting credit cards as a form of payment does not, by itself, make an entity a creditor.
FTC officials learned last year that some industries and entities within the agency's jurisdiction were uncertain about their coverage under the Red Flags Rule, so they developed materials to help explain who is covered and how to develop identity theft prevention programs.
The Red Flag rules require a creditor to develop and implement a written program that has reasonable policies and procedures for detecting, preventing and mitigating identity theft. An institution's board of directors must be involved in approving and monitoring the Red Flags program.
The American Hospital Association has encouraged its members to consult with appropriate legal, financial and technical advisors to determine whether the Red Flag Rules apply, and if so, what actions should be taken to comply.
Photo by dcJohn obtained under Creative Commons license.