Red Flags Rule Delayed Again

The FTC has delayed its "Red Flags Rule" yet again. The Red Flags Rule basically requires companies to keep their eyes open for identify theft. It was supposed to go into effect on May 1st but has now been bumped until August 1st, 2009.

These regulations have caused a stir amongst businesses because they apply to almost any entity that grants credit. For a small business, the maintenance of an identify theft program could prove to be yet another expensive regulatory requirement. But the Reds Flags Rule also emphasizes the fact that a program needs to be "appropriate for your company...size and potential risks of identify theft" (the size exemption is also one of the major stipulations in the similarly delayed Massachusetts data security law). Which is a bit of a strange formulation - why do small businesses get a pass on security? After all, shouldn't a business be required to be have the necessary staff on board to operate securely?

But small or not, in its current formulation the Red Flags Rules affects millions of businesses - basically any company that in some way or another extends credit to consumers. Even with the considerable outreach the FTC has done on this issue, I can't imagine that this rule is on the radar of even a fraction of all these businesses. But those businesses seem to have a while until they really need to pay attention - a panel I attended at the recent RSA conference had a few folks from the FTC who were basically saying that actual enforcement is still a ways off. And undoubtedly it is the largest companies who will be looked at first.

Identity theft (a term which is often misused as a euphemism for companies granting credit too easily) is a much more prevalent problem in the US than in most of continental Europe. In many European countries, there is no way to get any meaningful credit without physically presenting documents like a passport or national identity card. And while those can be forged as well, this significantly raises the criminality bar and the associated penalties. So identity theft is essentially a trade-off; credit is either easily obtainable with a high rate of identity theft, or credit is a hassle to obtain with a low rate of identity theft.

The US has had very easy to obtain credit in recent years, and the ubiquity of e-commerce has only exacerbated this problem. But the pendulum is starting to swing in favor of tightening regulation of credit following last year's financial meltdown. The Red Flags Rule may ultimately prove less effective at reducing identity theft than other regulations that have been implemented to protect consumers. Most notably forty seven states now have security freeze laws. These laws basically allow consumers to set up a password so that any access to their credit report requires them to first "unlock" the report with this password.

Because these laws require people to pro-actively go out and place a freeze, there has not been widespread adoption (I can't find a reference right now but I remember reading a while back that there were only several tens of thousands of credit freezes in all of New York State as of a year ago). Some people have been scared off by stories of delays in lifting freezes and having mortgage applications denied as a result. This inconvenience factor figured very prominently in the business opposition to the original freeze laws - without the ability to quickly approve car financing, a sale might fall through.

The argument against credit freezes reminds me of the Simpsons episode where an excited Homer walks into a gun store to buy a rifle. When he discovers there is a 5 day waiting period he exclaims "But I'm mad now!". Slowing down access to credit is probably the only effective means to actually reduce identity theft, but carries with it other economic costs.