Join ADAMember Log In

Red Flags postponed until Nov. 1

Washington—The Federal Trade Commission announced another Red Flags enforcement delay to Nov. 1 "to assist small businesses" in understanding the regulation.

In an announcement posted on the FTC Web site, the commission said it will create a special Web link with materials offering "guidance and direction" for the "small and low-risk entities," including dentists and physicians, who have questioned the FTC's application of the Red Flags identity theft rules to their practices.

The American Dental Association helped introduce legislation to exempt health care practices with 20 or fewer employees from the regulation. An ADA-led coalition letter to Congress and a summary of other Association advocacy efforts with regard to the Red Flags Rule issued by the FTC are available at

The ADA-supported legislation, HR 2345, had 32 bipartisan co-sponsors as the FTC responded to resulting congressional pressure, and questions from several House of Representatives committees, with a third enforcement delay. "The three-month extension, coupled with this new guidance, should enable businesses to gain a better understanding of the rule and any obligations that they may have under it," the FTC said.

"These steps are consistent with the House Appropriations Committee's recent request that the commission defer enforcement in conjunction with additional efforts to minimize the burdens of the rule on health care providers and small businesses with a low risk of identity theft problems," the FTC said.

The FTC says health care practices may be "creditors" as defined by the Fair and Accurate Credit Transactions Act of 2003 to include "any entity that extends or renews credit—or arranges for others to do so—and includes all entities that regularly permit deferred payments for goods or services," and thus subject to the Red Flags Rules.

"Accepting credit cards as a form of payment does not, by itself, make an entity a creditor," the FTC said.

The term "red flag" as defined by the 2003 law means a pattern, practice or specific activity that indicates the possible existence of identity theft. Cited in implementing rules and guidelines as "examples" of identity theft red flags are:

  • alerts, notifications or other warnings from customer reporting agencies or service providers such as fraud detection services;
  • presentation of suspicious documents;
  • presentation of suspicious personal identifying information such as a suspicious address change;
  • unusual use of or other suspicious activity related to a covered account;
  • notice from customers, victims of identity theft, law enforcement authorities or other persons regarding possible identity theft in connection with covered accounts.

Financial institutions are also subject to the FACTA, but the FTC's announced enforcement delay for small business "creditors" does not affect other federal agencies' enforcement of the law with respect to those businesses.