Join ADAMember Log In

FTC extends time to comply with Red Flags Rules

The Federal Trade Commission on October 22 announced that it would delay for six months enforcement of the Red Flags Rules–which would require financial institutions and creditors to have identity theft prevention programs in place–until May 1, 2009.

The FTC said in its press release announcing the enforcement delay that during the course of outreach efforts to explain the rules, "Commission staff learned that some industries and entities within the FTC’s jurisdiction were uncertain about their coverage under the Rule," and that those entities "indicated that they were not aware that they were engaged in activities that would cause them to fall under the FACT Act’s definition of creditor or financial institution."

(The Red Flags Rule was developed pursuant to the Fair and Accurate Credit Transactions Act of 2003. Under the Rule, financial institutions and creditors with covered accounts must have identity theft prevention programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft.)

The FTC also noted in its press release that some complained that because they generally are not required to comply with FTC rules in other contexts, they had not followed or even been aware of the rule-making, and therefore learned of its requirements too late to be able to come into compliance by the original November 1 deadline. A copy of the press release is published on the FTC Web-site at

"We are very pleased that the Federal Trade Commission has postponed for six months its implementation of the "Red Flags Rules," said Tamra Kempf, ADA chief legal counsel. "Recently, FTC staff has taken the position that dentists and other doctors are creditors within the meaning of the Red Flags Rules when they don’t receive payment in full from their patients at the time of treatment—and must, therefore, implement an identity theft program in their practices.

"We believe that characterizing dentists as creditors under the Red Flags Rules is contrary to the legislation on which the Rule is based and that the Rule should not have been extended to dentists without giving affected parties notice and an opportunity to comment. In addition, subjecting dentists to the Rule is unsound policy in that it will inject substantial compliance costs into the health care system without any real benefit to patients."

Ms. Kempf said the ADA will send the FTC a letter voicing objections to the extension of the Red Flags Rules to doctors, and urging the FTC to announce that doctors are not subject to the Rule.

If the FTC persists in its position that dentists are covered by the rule as creditors, the ADA will make available a sample compliance plan or program well in advance of the new enforcement date. Dentists will have sufficient time to consult with their personal attorneys and to put an appropriate identity theft prevention program into place, according to the ADA’s Legal Division.

There is one component of the Rule that is not delayed. It applies to dentists who obtain credit reports in connection with providing services for their patients. Specifically, if there is a discrepancy between an address on a credit report and an address the patient provides to the dentist, the dentist is required to report the correct address to the credit agency.