Subscribe in a reader
Occasionally, I like to point those readers who are in-house counsel or private practitioners and who represent financial institutions to a useful publication that's available on-line from another law firm. Ordinarily, I'd make a snarky, self-deprecating comment at this point; however, my e-mail lately indicates that there are some readers who not only don't "get" the snark, but take it on face value and begin to froth at the mouth with politically correct apoplexy. So, just for today, I'll play it straight. Tasteless, low-brow sarcasm will resume tomorrow.
Today's resource is the Proskauer Rose LLP Privacy Law Blog, which has good material on, of all things, privacy law. Of particular interest to many businesses is a recent post on the suspension of enforcement by the FTC of the of the "Identity Theft Red Flag and Address Discrepancies Rules" until May 1, 2009. Unfortunately, the suspension applies only to those business subject to FTC enforcement of the rules, not to financial institutions governed by the Red Flag rules that are enforced by the federal bank regulatory agencies. As to the latter, you banks better be in compliance by the end of this week!
The reasons for the FTC action are interesting.
The rules apply to financial institutions and creditors. But, according to the FTC, many companies “indicated that they were not aware that they were engaged in activities that would cause them to fall under the FACT Act’s definition of creditor or financial institution.”Moreover, the FTC said that companies not traditionally subject to the jurisdiction of the FTC did not follow the FTC’s rulemaking, and consequently did not become aware of their obligations under the Red Flag Rules until very recently. The FTC also expressed concern that covered entities, to meet the fast approaching November 1 deadline, were not taking the appropriate care necessary to do a proper risk assessment and craft a meaningful red flags program.
As the FTC stated, “[g]iven the confusion and uncertainty within major industries under the FTC’s jurisdiction about the applicability of the rule, and the fact that there is no longer sufficient time for members of those industries to develop their programs and meet the November 1 compliance date, the Commission believes that immediate enforcement of the rule on November 1 would be neither equitable for the covered entities nor beneficial for the public.” Therefore, the FTC will delay enforcement of the new rules for six months. Considering this generous extension, covered entities should be on notice that they will need to have a written identity theft prevention program in place by the May 1, 2009 deadline.
So, this time around, being a clueless ignoramus turned out to be a good thing, unless you were a financial institution regulated by one of the federal bank regulatory agencies.
Many banks were well on their way to compliance with the Red Flag rules as part of their information security and customer identification programs, long prior to November 1. Red Flag and address discrepancies compliance has been more a matter of documenting the program and having it approved by the board of directors.
Incidentally, the OTS released last Friday revised examination procedures, which were developed jointly with the other agencies, for examinations after November 1, 2008. The revised procedures incorporate procedures to test compliance with the Red Flag rules. The OCC released its revised examination procedures on October 15, 2008, which also addressed affiliate marketing and opt-out notices.
