On Wednesday, the Federal Trade Commission announced they were delaying enforcement of the ID Theft Red Flags Rule until May 1, 2009. This delay ONLY applies to organizations supervised by the FTC. It does NOT apply to institutions supervised by the member agencies of the FFIEC (FDIC, OTS, OCC, FRB and NCUA). As of this blog posting, there has been no public announcement from the FFIEC agencies regarding any extension of the November 1 compliance deadline for Red Flags.
According to the press release, the deadline is being moved further out because of a uncertainty about who has to comply with the Red Flags Rule:
During the course of these efforts, Commission staff learned that some industries and entities within the FTC's jurisdiction were uncertain about their coverage under the Rule. These entities indicated that they were not aware that they were engaged in activities that would cause them to fall under the FACT Act's definition of creditor or financial institution. Many entities also noted that, because they generally are not required to comply with FTC rules in other contexts, they had not followed or even been aware of the rule making, and therefore learned of the Rule's requirements too late to be able to come into compliance by November 1, 2008. The Commission's delay of enforcement will enable these entities sufficient time to establish and implement appropriate identity theft prevention programs, in compliance with the Rule.
We'll keep an eye on this and provide an update if we hear anything from the FFIEC agencies.