FTC Backs Off Red Flag Rules Again

coondoggie writes to tell us that the Federal Trade Commission has yet again backed off of the new Red Flag Rule designed to protect consumer information. Complaining about cost of implementation, the enforcement date of the rule has been pushed back to August 1, 2009 to give businesses and institutions time to implement identity theft-prevention programs. "The FTC, federal bank regulatory agencies, and the National Credit Union Administration (NCUA) issued the Red Flags Rules as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003. The final rules require financial and credit institutions that hold any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program for combating identity theft in connection with new and existing accounts, the FTC said."

Don't Confuse Banks and Credit Unions

[mpapet]

They are separate and generally speaking do not follow the same rules.

For example, Bank of America and Chase would not be required to follow these rules.

The 'backing off' doesn't surprise me one bit as the NCUA is probably in as much trouble as the FDIC with failed credit unions, and lack of funds to protect depositors.

http://www.cutimes.com/Pages/News.aspx

Re:Don't Confuse Banks and Credit Unions

Actually, they do follow the same rules; FFIEC sets the information security guidelines for both.

The big difference is how the groups are audited. Banks deal with more (and stricter) regulatory bodies.

I audit both groups and have found that most have already addressed red flag rules (if they are not already compliant).

Red Flag rules aren't tough for financial institutions because the rules overlap with previous requirements. It's the other groups that are having trouble.

The hospitals I audit do not have the culture yet for information security and that starts at the top with the doctors.