Municipal Compliance with the Red Flags Rules

February 12, 2010

Identity theft has been a real problem in the United States. Pursuant to applicable federal law and in an effort to extend consumer protections against identity theft, the Federal Trade Commission (“FTC”) adopted regulations in 2007 requiring all utility companies and other entities that act as “creditors” and provide certain types of customer accounts to enact “red flags policies” aimed at protecting personally identifying consumer information. Originally, the FTC regulations required compliance with the rules by November 1, 2008. However, that date has been periodically extended by the FTC due to a number of questions and issues that have arisen. The current compliance date is June 1, 2010.

The first question that invariably arises is: “Who is required to comply with the Red Flags Rules?” Clearly all financial institutions must, as well as any “creditors” that maintain certain types of accounts. The rules define a “creditor” as an entity that regularly extends, renews or continues credit, including the provision of a service for which payment is made after the service is provided. For example, a utility company, even those operated by governmental entities. Given the definition of “creditor,” governments which provide municipal sewer, water, gas, electric, telecommunications or other utility service, are and will be covered by the Red Flags Rules.

The Rules have created a tremendous amount of confusion when applied to governmental bodies. As of this date, it does not appear that the FTC will be applying the Rules to a governmental body when it collects property taxes, business license taxes, parking tickets, special assessments, impact fees, etc. However, for those municipal entities that provide the foregoing utility services, it appears that the rules will be applicable.

If a municipality is subject to the Red Flags Rules, then the question is: “What can government do to get in compliance?” As a creditor, municipalities will be required to develop a program to prevent identity theft that, according to the rules, is “appropriate for the size and complexity of the municipality.” Each program must contain reasonable policies and procedures to:

  1. Identify risks of identity theft
  2. Identify relevant red flags for new and existing covered accounts and incorporate those red flags into the program
  3. Detect red flags that have been incorporated into the program
  4. Respond appropriately to any red flags that are detected to prevent and mitigate identity theft
  5. Ensure the program is updated periodically to reflect changes in risk to customers or to the safety and soundness of the creditor from identity theft

Depending upon the particular policies developed, there may or may not have to be changes in the municipality’s ordinances. The rules allow for tremendous local discretion in terms of the municipality assessing its own risks and to determine the appropriate scope of the Red Flags policies that are adopted.

To subscribe to email alerts from Axley Law Firm, click here.