Dear Mr. Mica:
Thank you for your October 30, 2008, letter on behalf of the Credit Union National Association (CUNA) requesting that the National Credit Union Administration (NCUA) consider extending its enforcement deadline for the Identity Theft Red Flags Rule for federal credit unions to May 1, 2009. We have considered your request; however, NCUA has no plans to delay enforcement of this rule beyond the November 1, 2008 mandatory compliance date.
The Fair and Accurate Credit Transactions Act of 2003 (FACT Act) amended the Fair Credit Reporting Act to prevent identity theft, improve resolution of consumer disputes, and improve the accuracy of consumer records and consumer access to credit information. Pub. L. No. 108–159 (Dec. 4, 2003). In July 2006, the federal banking agencies, NCUA, and the Federal Trade Commission (FTC) (the Agencies) issued a joint notice of proposed rulemaking implementing the provisions on identity theft red flags and address discrepancies in the FACT Act. The proposed rules were issued with a 60-day comment period. 71 Fed. Reg. 40,786 (July 18, 2006).
On November 9, 2007, the Agencies published in the Federal Register final rules effective January 1, 2008, with a mandatory compliance date of November 1, 2008. 72 Fed. Reg. 63,718 (Nov. 9, 2007). Under the final rules, financial institutions and creditors with covered accounts must have identity theft prevention programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. NCUA’s rule applies to federal credit unions. See 12 C.F.R. Part 717.
On October 22, 2008, the FTC announced it will delay administrative enforcement of the Identity Theft Red Flags rule for entities under its jurisdiction until May 1, 2009 to provide them with additional time to develop and implement written identity theft programs. See 16 C.F.R. §681.2. According to the FTC’s press release: “Commission staff learned that some industries and entities within the FTC’s jurisdiction were uncertain about their coverage under the Rule. . . . The Commission’s delay of enforcement will enable these entities sufficient time to establish and implement appropriate identity theft prevention programs, in compliance with the Rule.” http://www.ftc.gov/opa/2008/10/redflags.shtm. The FTC’s action does not extend to the rule regarding address discrepancies applicable to users of consumer reports (16 C.F.R. §681.1), or to the rule regarding changes of address applicable to card issuers (16 C.F.R. §681.3).
The extension does not affect other federal agencies’ enforcement of the November 1 compliance deadline for those institutions subject to their respective oversight. As with other regulatory requirements, NCUA examiners will be reviewing federal credit unions’ compliance with the Identity Theft Red Flag Rule as part of NCUA’s normal examination process. For those federal credit unions not in compliance, examiners will consider the credit union’s progress and compliance efforts to date when developing appropriate plans for corrective action.
Feel free to contact me if you have any further questions about this matter.