The Federal Trade Commission released an Enforcement Policy Statement on October 22 that postpones enforcement of the new “Red Flags Rule” for six months, until May 1, 2009, to give creditors and financial institutions additional time in which to develop and implement written identity theft prevention programs. The postponement does not affect enforcement of the original November 1, 2008 deadline by the federal financial institution regulators.

Last November, the FTC and the Federal Deposit Insurance Corporation, the Federal Reserve Board, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, and National Credit Union Administration published a joint notice of final rulemaking finalizing the Identity Theft Red Flags regulations and guidelines to implement sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003 (“FACT Act”).

The rule requires creditors and financial institutions to implement written identity theft prevention programs that provide for the identification, detection, and response to patterns, practices, or specific activities (“red flags’) that could indicate identity theft. Although the final rule became effective on January 1, 2008, full compliance with the rule was not required until November 1, 2008.

Now, a week before the deadline, the FTC has announced that some of the industries and many of the entities under its jurisdiction indicated that they were not aware that they were engaged in activities that would cause them to fall under the FACT Act’s definition of creditor or financial institution. Many entities also noted that, because they generally are not required to comply with FTC rules in other contexts, they had not followed or even been aware of the rulemaking.

The FTC emphasized, however, that the enforcement delay is “limited to the Identity Theft Red Flags Rule (16 CFR 681.2), and does not extend to the rule regarding address discrepancies applicable to users of consumer reports (16 CFR 681.1), or to the rule regarding changes of address applicable to card issuers (16 CFR 681.3).”

A few days before the FTC made its announcement, the FDIC issued a financial institution letter (FIL-105-2008) to provide examination procedures on identity theft “red flags,” address discrepancies, and change of address requests.

The FDIC said risk management examiners will examine institutions for compliance with the red flags regulation (12 CFR 334.90) during risk management examinations, and compliance examiners will examine institutions for compliance with the address discrepancies and change of address regulations (12 CFR 334.82 and 334.91) during compliance examinations.