Federal Red Flags Rule

Townships are subject to new federal identity theft prevention rules, referred to as the “Red Flags Rule,” and some Michigan townships, including townships that maintain utility billing accounts, will be required to take steps to comply with those rules by May 1, 2009.

On September 9, 2007, several federal agencies adopted joint rules and guidelines to implement sections 114 and 315 of the federal Fair and Accurate Credit Transactions Act of 2003 (FACT). The joint rules and guidelines were effective January 1, 2008, and the mandatory compliance date was extended to May 1, 2009.

Fighting Fraud with the Red Flags Rule

FTC Web Resource, including guidebook

Release July 29, 2009: Enforcement delayed until November 1, 2009

The Federal Trade Commission will delay enforcement of the new “Red Flags Rule” until November 1, 2009, to give creditors and financial institutions more time to develop and implement written identity theft prevention programs. For entities that have a low risk of identity theft, such as businesses that know their customers personally, the Commission will soon release a template to help them comply with the law.

During outreach efforts last year, the FTC staff learned that some industries and entities within the agency’s jurisdiction were uncertain about their coverage under the Red Flags Rule. During this time, FTC staff developed and published materials to help explain what types of entities are covered, and how they might develop their identity theft prevention programs. Among these materials were an alert on the Rule’s requirements, www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm, and a Web site with more resources to help covered entities design and implement identity theft prevention programs, www.ftc.gov/redflagsrule. The compliance template will be available on that Web site.

Federal Register, Friday, November 9, 2007 (.pdf)

The complete text of all the rules, but most useful for the overview at the beginning, and then the Federal Trade Commission (FTC) version of the rules at the end (page 63771). 

The FACT Act--An Overview of the Final Rulemaking on Identity Theft Red Flags and Address Discrepancies, Division of Privacy and Identity Protection, Federal Trade Commission (.pdf)

Identity Theft/Red Flags Industry Guidance and Compliance Procedures, Industry Conference Call presentation, August 11, 2008, Office of Thrift Supervision (.pdf)

Any township that maintains utility billing accounts, even through a third party, or maintains any continuing account (utility or otherwise) that is designed to permit multiple payments, or maintains any other type of continuing account for which there is a reasonably foreseeable risk from identity theft, is likely required to implement a written Identity Theft Prevention Program to detect, prevent, and mitigate identity theft in connection with those accounts.

Each individual township must determine, possibly with assistance from local legal counsel or the township's auditor, whether its specific circumstances require Red Flag Rules compliance. Although the rules have been in effect since January 1, 2008, there has been much confusion regarding whether municipalities, including townships, are required to comply--in part because the multiple federal agencies enforcing the rules have not traditionally regulated local governments and are not familiar with local government activities.

MTA staff are working to identify and develop Michigan-specific resources:

Township Examples

Hartland Township, Livingston County Identity Theft Prevention Program Policy (October 2008)

Here are some other resources on the Red Flag Rules:

Kentucky League of Cities Sample Red Flag Policy (.pdf)

Kentucky League of Cities, "Getting Ready: Risk Assessment for Red Flags" (.pdf)

Kentucky League of Cities, "Preparing to Write a Red Flag Policy" (.pdf)

Kentucky League of Cities, "Red Flag Requirements for Municipal Utilities" (.pdf)

North Carolina League of Municipalities Memo on Red Flag Rules (.pdf) 

The Federal Trade Commission, in response to questions from local government organizations, has recently identified some specific positions regarding local governments, including townships:

"Creditors include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Where non-profit and government entities defer payment for goods or services, they, too, are to be considered creditors." (FTC Business Alert, June 2008)

"FTC representatives confirmed that the Red Flag requirements apply to all municipal utilities and other operations for which [municipalities] provide services before they bill the customer. ... The key to whether municipalities are "creditors" is whether they defer payment for goods and services as defined under the Red Flag Rules. This includes utility billing. ... FTC personnel clarified that it is their view that municipalities "defer payments" by their utility customers when water, electic, gas, trash and the like [services] are sold to customers day-by-day but paid for at the end of the billing cycle. They specifically rejected the idea that an up-front deposit equal to an average monthly bill would remove cities and towns from falling under the regulations. In answer to a direct question, they stated that the only way to escape coverage would be for a municipal utility to bill the customer prior to providing the monthly utility service. ... When questioned whether municipalities have Red Flag duties for their franchised utilities, it was clear that the FTC officials were unaware of how franchises work. The issue here is whether the new regulations would require municipalities to investigate whether the franchised utility had an adequate identity theft prevention program in place. FTC staff will research this issue ...." (Municipal Policy Review, No. 7, July 23, 2008, Oklahoma Municipal League, Inc.)