Statement by FTC Chairman Jon Leibowitz Regarding House and Senate Passage of Legislation Clarifying Red Flags Rule

Congress has passed legislation resolving the uncertainty it created when it directed the federal financial institution regulatory agencies and the Federal Trade Commission to develop the Identity Theft Red Flags Rule, which requires many businesses and organizations to have a written Identity Theft Prevention Program designed to detect the warning signs – or “red flags” – of identity theft in their day-to-day operations. The legislation clarifies which entities must comply with the Rule.

“We’re pleased Congress clarified its law, which was clearly overbroad.” FTC Chairman Jon Leibowitz said. “Now, we can go forward with less litigating and more protecting consumers from identity theft. I want to express my appreciation to Congressmen John Adler and Mike Simpson, and Senators John Thune and Mark Begich, for their excellent work in resolving the uncertainty created by Congress.”

The Rule doesn’t require any specific practice or procedures. It gives businesses the flexibility to tailor their written ID theft detection program to the nature of the business and the risks it faces. Businesses with a high risk for identity theft may need more robust procedures – like using other information sources to confirm the identity of new customers or incorporating fraud detection software. Groups with a low risk for identity theft may have a more streamlined program – for example, simply having a plan for how they’ll respond if they find out there has been an incident of identity theft involving their business.