The Federal Trade Commission today delayed until Nov. 1 a rule that would require financial institutions, including investment advisory firms, to have programs to detect and prevent identify theft for their customers.
The FTC’s “red flags” rule was initially set to take effect Aug. 1.
But the agency said that some companies, particularly small businesses, are not certain what rules apply to them or what their obligations are.
The agency said it will issue additional guidance on how to comply with the rule shortly.
The FTC operates a Red Flags website, ftc.gov/redflagsrule, that helps companies determine if they are covered and how to comply with the rule.
The FTC signaled that it intends to apply the rule broadly and that it could apply to investment advisers, according to an alert issued by the ACA Compliance Group of Washington.
If they bill their clients for services or if they use consumer reports to evaluate prospective employees, they must comply with the rule, ACA said in the alert.
Other activities that could bring firms under the rule include accrual of incentive fees or arranging funds for clients to buy securities on margin.
Firms must develop and implement written identity theft prevention programs and ensure that service providers have reasonable policies in place to protect customers.
While most advisory firms have such programs in place already, ACA said, they may need to enhance their procedures to comply with the FTC rule, especially the rule’s requirement that third-party providers maintain similar procedures.