A fight in Washington over the scope of a new financial regulation could leave some investors personal information vulnerable to identity thieves for the rest of the year.

The Federal Trade Commission said Friday that it would delay for a fifth time the enforcement of its Red Flags Rule, which would require a swath of companies to develop and implement identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities that could signal foul play, the FTC wrote. The rule will not go into effect until Dec. 31, 2010.

The delay came at the request of lawmakers, who asked for more time to consider which companies and individuals should be required to adhere to the rule.

That debate pits legislators, who call for broader safeguards at a wide variety of businesses, against small firms and some doctors, who say such measures are cost-prohibitive and excessive given their true risk.

Identity theft is growing problem among U.S. consumers. It affected 11 million Americans last year, up 11% over 2008, according to research firm Javelin Strategies.

Now, investors face a months-long wait without new federal protection, as lawmakers hammer out which firms would fall under the mandate. The Red Flags Rule applies to financial institutions and creditors, according to the FTC, but requires only the implementation of a written program if those institutions have covered accounts. The FTC defines a financial institution as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other person that, directly or indirectly, holds a transaction account belonging to a consumer.

Banks, federally chartered credit unions, and savings and loan associations fall under the jurisdiction of the federal bank regulatory agencies and the National Credit Union Administration. But the remaining financial institutions, such as state-chartered credit unions, mutual funds that offer accounts with check-writing privileges, or other institutions that offer accounts where the consumer can make payments or transfers to third parties, are under the jurisdiction of the FTC.

The FTC s definition of creditor has sparked debate. It includes businesses and organizations that regularly defer payment for goods or services or provide goods or services and bill customers later. That might include utility companies, health-care providers and telecommunications companies, for instance.

The American Medical Association has objected to the FTC s interpretation of physicians as creditors, subjecting them to the rule, saying in a Feb. 23, 2009 letter that it could have serious adverse consequences on patients access to our health care delivery system and services. The FTC has maintained that the rule was created to be broad, and clearly intended to address all forms of identity theft, including the growing problem of medical identity fraud.

In response to the latest delay, the AMA said in statement that it will utilize this time to convince the FTC and Congress to republish the rule so that there is sufficient opportunity to formally comment and state the AMA's objections to physician inclusion in the program.

Others, including Nydia Velazquez, chairwoman of the Committee on Small Business, have questioned the application of the rule to small businesses broadly and health professionals in particular.

Some of the 26 red flags that companies would be charged with monitoring would include changes in a credit report or a consumer s credit activity; suspicious documents or inconsistent personal identifying information; and suspicious account activity. Address discrepancies, notices of credit freezes, use of altered or forged IDs and reports that customers aren t receiving mailed account statements would all be considered red flags.

Some companies are already in compliance with the rule. For instance, Vanguard created the Vanguard Identity Theft Prevention Program to comply with the Red Flags Rule ahead of the original Nov. 1, 2008, deadline. Designing and implementing the program was, by its nature, time consuming, but it wasn t particularly difficult because many parts were already in place, said a Vanguard spokeswoman.

Vanguard s program applies to web, telephone and paper communications and includes provisions for indentifying, detecting and responding to red flags, and updating the program periodically to respond to changing trends in identity theft.

A spokeswoman for Bank of America says the company is also "fully compliant" with the Red Flag Rules.

Still, without federal enforcement, there s no way to know that every firm is complying. There s a whole swath of industries that are not being regulated because of the delays, says Tom Oscherwitz, vice president of governmental affairs and chief privacy officer at ID analytics. I think it s fair to say at this point, businesses are questioning if and when the FTC is going to enforce the rules, he says, adding that fraudsters, like water, tend to move to the area of least resistance.

Charles Rotblut, vice president of the American Association of Individual Investors, says it is unclear whether such rules are even enforceable. Is there someone to make sure [the new rules] can be followed?" he asks. "Is there a standard that will actually stop ID theft rather than just create more bureaucracy for companies?"

The rule was originally scheduled to become effective on Jan. 1, 2008, and companies were required to comply by Nov. 1, 2008. But enforcement has been delayed multiple times, as Congress has sought to determine the scope of the law.

For now, Oscherwitz says investors and borrows would be wise to take the following precautions:

1. Be careful with the personal information kept at home. Put it in a secure, locked place.

2. Use caution when sharing data. For instance, when providing tax information to an accountant, don t send it through unencrypted email. Also be skeptical about new web sites and people asking for information, such as a Social Security number, on the phone, he says.

3. Monitor credit and banking information periodically. Everyone is entitled to a free credit report annually. Also check statements from your bank and other accounts.