The Federal Trade Commission (“FTC”) announced on July 29th that the date on which the FTC will begin enforcement of the Red Flag Rules has been further extended to November 1, 2009. The Red Flag Rules, which are contained in regulations promulgated by the FTC under the Fair Credit Reporting Act, 15 U.S.C. § 1681 et. seq., require “financial institutions” and “creditors” to adopt written identity theft prevention programs designed to prevent, detect and mitigate the effects of identity theft. The Red Flag Rules are applicable to any entity that meets the definition of a creditor and maintains covered accounts.

Under the Red Flag Rules, a “creditor” is defined as any entity that “regularly extends, renews, or continues credit, or any entity who regularly arranges for the extension, renewal, or continuation of credit.” For example, hospitals, physicians and other health care providers would be considered “creditors” under the Red Flag Rules if they as a regular business practice do not require all patients to pay for medical goods or services at the time that such goods or services are provided.

The FTC is extending its forbearance for bringing any enforcement action for violation of the Red Flag Rules against a financial institution or creditor that is subject to administrative enforcement of the Fair Credit Reporting Act by the FTC, for an additional three months, from August 1, 2009, until November 1, 2009.

The FTC emphasized that this delay in enforcement is limited to the Red Flag Rules and does not extend to the rules regarding address discrepancies applicable to users of consumer reports, or to the rule regarding changes of address applicable to card issuers.

A copy of the FTC’s announcement may be obtained on the FTC’s web site at

This information has been provided for informational purposes only and should not be construed to constitute legal advice.