New Federal Requirements for Municipal Utilities
COMPLIANCE REQUIRED BY NOVEMBER 1, 2008
If your municipality provides utility services, including water services, with individual customer accounts, then your municipality has until November 1, 2008, to adopt and implement written identity theft prevention policies. Additional requirements apply if your municipality uses consumer credit reports to establish residential utility accounts. Failure to implement such policies can result in civil penalties of up to $2,500 per violation.
The new requirements, known as "Red Flag Rules," were issued by the Federal Trade Commission in 2007 as part of the Fair and Accurate Credit Transactions Act of 2003 ("FACT Act"). The FACT Act added new provisions to the Fair Credit Reporting Act (15 U.S.C. §1681, et seq.). One purpose of the FACT Act was to provide new protections to consumers against the growing problem of identity theft.
The Red Flag Rules apply to "financial institutions" and "creditors" with "covered accounts." The FTC has defined creditors as including utility companies and non-profit and government entities that defer payment for goods or services. Covered accounts are defined as accounts used mostly for personal, family, or household purposes and that involve multiple payments or transactions. These include utility accounts. The FTC has taken the position that municipalities and other government entities that provide utility services to residents will be treated as "utilities" under the Red Flag Rules.
If your municipality provides utility services to residents, using individual accounts, then the Red Flag Rules require your municipality to implement a written program to detect the warning signs, or "red flags" of identity theft in connection with the opening of new accounts and the maintenance of existing accounts. "Red flags" include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. Your municipality must also describe policies to prevent and mitigate identity theft and include a plan to update the program and to train staff to effectively implement the program.
Miller Canfield would be happy to discuss how the Red Flag Rules may affect your individual entity. For more information on compliance and the development of policy language, please contact Tom Colis.