BusinessWeek Blog: The FTC's Red Flags Rule: Last Chance to Learn

The Federal Trade Commission recently announced that it was postponing the implementation of the Red Flags Rule from August 1, 2009 to November 1, 2009. In doing so, the FTC also announced a new business education initiative designed to help companies understand what the Red Flags Rule is and how and why they need to comply with it. This is probably a very good move by the FTC, considering that most firms have not even heard of the Red Flags Rule, let alone know that they will be subject to it (now) as of November 1.

In case you haven't heard of it, the Red Flags Rule was drafted by the FTC in response to the growing number of identity theft and data breach incidents, many involving thousands or even millions of consumer records. Rather than simply issuing guidance on what to do when a data breach occurs, the FTC now requires companies that may be at risk of data breaches and identity theft to proactively examine, identify and deal with the risk factors they face. The rule itself obligates financial institutions and any other creditor that holds a consumer account to "develop and implement an Identity Theft Prevention Program" with policies and procedures to help reduce identity theft. What makes this rule so challenging, however, is that unlike other rules relating to financial institutions (such as the Gramm-Leach-Bliley privacy rules), the Red Flags Rule applies to any firm that maintains an ongoing account through which a consumer is charged. As the FTC itself may be subject to the rule, you need to begin working on compliance now if you have not already done so.

The best place to start for information on the Red Flags Rule is the FTC's own Web site, There, you will find a guide for businesses discussing the Red Flags Rule, including how to determine if your business or organization is subject to it. You may also want to seek out others in your industry, whether through trade associations or publications, in order to share information and best practices. Ultimately, though, whether the Red Flags Rule begins on November 1 or later, it is coming, and many firms and organizations will find themselves out of compliance if they don't begin working on it now.

Add a comment

Type the following characters: six, tango, whisky, mike

* Indicates a required field.


Recent Posts



Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.