Congress has passed legislation resolving uncertainty it created after directing the federal financial institution regulatory agencies and the Federal Trade Commission to develop the Identity Theft Red Flags Rule.
The rule requires many businesses and organizations to have a written Identity Theft Prevention Prgoram designed to detect the warning signs "red flags" of identity theft in their daily operations. The legislation clarifies which entities must comply with the rule.
The House passed the bill "Red Flag Program Clarification Act of 2010" on Tuesday, less than a week after the Senate approved the bill.
The enforcement date for the rule is Dec. 31. The FTC said earlier this year that it delayed enforcement at the request of Congress as it "considers legislation that would affect the scope of entities covered by the rule." Compliance date was Nov. 1, 2008.
"We're pleased Congress clarified its law, which was clearly overbroad," says FTC Chairman Jon Leibowitz. “Now, we can go forward with less litigating and more protecting consumers from identity theft.”
The rule doesn’t require any specific practice or procedures. It gives businesses the flexibility to tailor their written ID theft detection program to the nature of the business and the risks it faces.
Businesses with a high risk for identity theft may need more robust procedures – like using other information sources to confirm the identity of new customers or incorporating fraud detection software.
Groups with a low risk for identity theft may have a more streamlined program – for example, simply having a plan for how they’ll respond if they find out there has been an incident of identity theft involving their business.