Skip to main content

"Red Flag Rules" Regulation

As many of you know, the Federal Trade Commission’s (FTC) Identity Theft Red Flags Rule went into effect on December 31, 2010, requiring many municipalities and public utilities to implement guidelines for preventing and responding to identity theft. What you may not know is that during the lame duck session, Congress passed the Red Flag Program Clarification Act of 2010 (S. 3987), and President Obama signed it into law on December 18. This law “clarified” who is covered by the Red Flags Rule, and could allow some local governments and public utilities to avoid these guidelines. The Red Flag Rules requires creditors to have guidelines for preventing “foreseeable risk of identity theft” and responding to incidents of identity theft. A municipality is likely considered a creditor under the rule if it collects revenue for a service after the service is rendered. This tends to be the case with most utilities (particularly those that are metered) and some services like waste management. Taxes, as well as fees that fall under taxation such as parking tickets, are not covered by this rule. The Red Flag Program Clarification Act of 2010 limited the definition of "creditor.” A municipal service or utility is exempt if it does not: o obtain or use consumer reports, directly or indirectly, in connection with a credit transaction;

o furnish information to consumer reporting agencies in connection with credit transactions; or, o advance funds (as in cash) based on the recipients' “obligation to repay or repayable from specific property pledged by or on behalf of the person” (this is intended to cover payday lender-style services that may not run a credit check). Funds advanced “for expenses incidental to a service provided by the creditor to that person” are also exempt. The FTC and other agencies have the authority to designate other groups as creditors based upon the determination that the accounts they hold are subject to a reasonably foreseeable risk of identity theft. These designations must be made through agency rulemaking. TML will continue to work with NLC and MTAS and will be providing additional information and guidance in the near future.

last updated 1/18/2011

Previous Update:

In October 2008, The Federal Trade Commission announced a six month delay of enforcement of the new “Red Flags Rule” until May 1, 2009. As such, municipalities have until such time to develop, adopt, and implement written identity theft prevention programs.

Background

In 2003, Congress passed the Fair and Accurate Credit Transactions (FACT) Act. This Act is intended to combat identity theft and directs the Federal Trade Commission (FTC) to develop regulations requiring financial institutions and creditors to develop and implement written identity theft prevention programs. The FTC issued final regulations, pursuant to the congressional mandate, and set an effective date of November 1, 2008.

The FACT Act regulations, also known as the “Red Flag Rules,” cover all financial institutions and creditors. The FTC has defined a “creditor” as any entity that provides a good or service for which payment is made by the consumer in arrears.

In early 2008, the FTC determined that as payment for many municipal services, such as utilities, is not made until after the service is received and consumed by the consumer, then municipalities and/or municipal entities that provide such services are “creditors,” and; therefore, are subject to the Red Flag Rules. As a covered entity, a municipality and/or municipal entity is required to implement a written program that enables employees to identify and detect practices or specific activities (red flags) that could indicate the occurrence of identity theft.

The FTC has provided guidelines to assist covered parties in the development of a program. The guidelines provide a list of 26 examples of red flags, including unusual account activity, fraud alerts on a consumer report or attempted use of suspicious account application documents. However, it should be noted that the list is not a comprehensive checklist but simply a guide to identify the types of activities and practices that should be addressed in such a program. In addition, the regulations require the written program to describe appropriate responses that would prevent and mitigate identity theft crimes as well as detail a plan to regularly update the program. The Red Flag rules also impose an additional responsibility concerning the treatment of “Notices of Address Discrepancy” for any municipality or municipal entity that utilizes the services of a consumer reporting agency.

The rules further require that individual employees that routinely handle the information covered under the program receive regular training.

Finally, the rules require the program to be approved by the governing body, managed by senior employees, and provide for oversight of any service providers. Under the regulations, any non-compliant entity is subject to a civil penalty of up to $2,500 per incident. It should also be noted that in addition to the civil penalty, a covered municipality or municipal entity has the potential to realize an increased exposure to lawsuits, including class actions, under the FACT Act. Clearly, the inclusion of municipal governments and municipal entities under these rules presents a number of administrative, financial and liability challenges. TML will continue to work with the FTC through its affiliation and relationship with NLC in an attempt to moderate the impact of the Red Flag Rules.

In addition, the Municipal Technical Advisory Service (MTAS) has prepared a training curriculum: Model Identity Theft Policy and FACTA Compliance. A link to these prepared materials can be found on the MTAS and TML websites. Within the curriculum are a model identity theft policy, important definitions, programs requirements, an explanation of violations, a sample Adopting Resolution, and other materials to fully prepare all cities for these requirements.